CAcert.org's inclusion into IceCat

[Reed Loden]

On Thu, 25 Sep 2008 00:10:12 +0200
Giuseppe Scrivano <address@hidden> wrote:

> In addition, CAcert.org, already used for https://savannah.gnu.org,
> was added to the builtin root certificates.

I'm very disappointed by this decision. Considering all the
well-documented problems with CAcert.org, this seems like a very bad
choice to be making.

Just looking on CAcert.org's wiki, you can read some of the following
pages to find copious amounts of information on why CAcert.org isn't
ready to be used:
* http://wiki.cacert.org/wiki/Audit -- Links to various other pages
concerning CAcert.org's ongoing audit, especially their lack of a
single completed audit
* http://wiki.cacert.org/wiki/AuditToDo -- List of things left for
CAcert.org's first audit to be completed; still a long ways to go until
the audit is completed
* http://wiki.cacert.org/wiki/PolicyDrafts -- Note the lack of set
policies on how assurance is handled; how does one know that the
certificates issued by CAcert.org for a domain were really bought by
that domain if there's no set policy outlining how checks and
validations are made?
* http://wiki.cacert.org/wiki/InclusionStatus -- Links to several
places that explain why CAcert.org isn't ready to be included; note the
number of well-known browsers and operating systems who have yet to
include CAcert.org because of CAcert.org's current ongoing issues and
lack of a completed audit

There is also time in CAcert.org's history for which the security
of its root cannot be properly accounted. What would happen if indeed
the private key of CAcert.org were to be leaked out? People could
create SSL certificates for any domain they liked, and they would
all be accepted by IceCat without any regards to their validity.

Also, CAcert.org has issued both assured and unassured SSL certificates
from the same root, which is insecure and highly not recommended. This
is one of the main reasons Ubuntu refused to add CAcert.org's root back
when it went through discussion in 2005. I'm not sure if CAcert.org is
still issuing certificates this way, but just the fact that they have
done it at some point in time is worrisome.

I believe you're doing a disservice to IceCat's users by including a CA
root that hasn't been properly vetted and whose root cannot be
accounted for for long periods of time. Users put trust into their
browser's CA root repository that the SSL certificates they encounter
will have been properly vetted for a certain level of quality. By
adding CAcert.org with other vetted roots, you lower the quality of the
other roots in the browser's CA root repository, as users won't be able
to know who exactly they can trust.

If you're looking for free or cheap SSL certificates, CAcert.org isn't
the only option out on the market. I do know that StartCom's StartSSL CA
offers free class 1 DV SSL certificates, and there OV and EV
certificates are fairly cheap, too. The StartSSL CA root has been
properly vetted and audited, so it can be trusted just as much as a big
name such as VeriSign.

Once CAcert.org completes its first audit and meets the basic
requirements of policies such as the Mozilla CA Certificate Policy
(http://www.mozilla.org/projects/security/certs/policy/), then I'm sure
you'll have no problem getting CAcert.org's root added to the
repositories of many browsers and operating systems. Until then, I
believe you should remove the root from IceCat so users can remain
secure and regain the feeling of assurance that by going to a site
over SSL, they are indeed visiting the actual site and not a site
using a fraudulent SSL certificate.

I hope you will take the above information with an open mind and do
what is best for the safety and security of IceCat's userbase.

~reed

-- 
Reed Loden - <address@hidden> / <address@hidden>
The GNU Project [gnu.org]
Free Software Foundation [fsf.org]