openjdk team mailing list archive

Thread
Date
[Bug 1258286] Re: CAcert should not be trusted by default

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: luckyrings <luckyrings@xxxxxxxxxxxx>
Date: Wed, 26 Mar 2014 08:59:35 -0000
Reply-to: Bug 1258286 <1258286@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Sorry guy, I just have to comment. I am asking again, why should CAcert
be removed? The reason why it should be removed is just because of
unprooven cncerns about CAcert's code quality and the audit which
appears to be stalled? I guess that Ubuntu responsible should contact
CAcert to get invitation in their internal auditation process first
before doing so. And generally I have to add again. If this is the only
reason, then should be also removed the other CA Certificates which use
also dubious methods for providing certificates or have weak
identification checks for customers.

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1258286

Title:
  CAcert should not be trusted by default

Status in “ca-certificates” package in Ubuntu:
  Fix Released
Status in “ca-certificates-java” package in Ubuntu:
  Fix Released
Status in “nss” package in Ubuntu:
  Fix Released
Status in “ca-certificates” source package in Lucid:
  Fix Released
Status in “ca-certificates-java” source package in Lucid:
  New
Status in “nss” source package in Lucid:
  New
Status in “ca-certificates” source package in Precise:
  Fix Released
Status in “ca-certificates-java” source package in Precise:
  New
Status in “nss” source package in Precise:
  New
Status in “ca-certificates” source package in Quantal:
  Fix Released
Status in “ca-certificates-java” source package in Quantal:
  New
Status in “nss” source package in Quantal:
  New
Status in “ca-certificates” source package in Saucy:
  Fix Released
Status in “ca-certificates-java” source package in Saucy:
  New
Status in “nss” source package in Saucy:
  New
Status in “ca-certificates” source package in Trusty:
  Fix Released
Status in “ca-certificates-java” source package in Trusty:
  Fix Released
Status in “nss” source package in Trusty:
  Fix Released
Status in “ca-certificates” package in Debian:
  Fix Released
Status in “ca-certificates-java” package in Debian:
  Fix Released

Bug description:
  Ubuntu is one of the few distributions shipping CAcert as a trusted
  certificate. Many distributions are considering[1] whether to remove
  CAcert, and Mozilla closed the RFE[2] for CAcert in 2008, which was
  opened in 2003.

  Concerns were expressed about CAcert's code quality[3], and their
  audit appears to be stalled.

  In the past, it appears that Ubuntu disabled[4] CAcert, but this is no
  longer the case. It may be wise to do so again.

  [1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#50
  [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
  [3]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#45
  [4]: http://wiki.cacert.org/InclusionStatus?highlight=Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1258286/+subscriptions