[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #106651] Savannah should not use CAcert.org-s
|
From: |
Reed Loden |
|
Subject: |
[Savannah-help-public] [sr #106651] Savannah should not use CAcert.org-signed SSL certificates |
|
Date: |
Sun, 22 Feb 2009 09:52:46 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090221 Minefield/3.2a1pre |
URL:
<http://savannah.gnu.org/support/?106651>
Summary: Savannah should not use CAcert.org-signed SSL
certificates
Project: Savannah Administration
Submitted by: r33d
Submitted on: Sun 22 Feb 2009 03:52:43 AM CST
Category: Savannah website
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Savannah (both .gnu.org and .nongnu.org) are currently using SSL certificates
signed by CAcert.org. Karl mailed savannah-hackers-public@ on this issue last
October after he saw my initial mail to bug-gnuzilla@ concerning IceCat's
inclusion of the CAcert.org CA root. Frankly, it's scary that Savannah is
using a certificate from a root that doesn't have full knowledge of where its
private key has been over the last several years. I believe they've
regenerated a new private key lately, but that still doesn't excuse them for
other practices and issues they've had. We shouldn't be trusting them for
something as important as SSL just because they tell us to. Once they've had a
real third-party audit, then we can talk, but until then, Savannah should be
using an SSL certificate signed by an audited CA root.
My original mail bug-gnuzilla@ and subsequent thread -
http://lists.gnu.org/archive/html/bug-gnuzilla/2008-10/msg00049.html
Karl's mail to savannah-hackers-public@ and subsequent thread -
http://lists.gnu.org/archive/html/savannah-hackers-public/2008-10/msg00006.html
I think this is a very important issue that should be taken seriously. We
should care about the security of Savannah and how it affects users. We should
not be helping to coax users into ignoring valid SSL certificate error pages.
If this is purely a money issue, I'm sure the FSF has enough money to help buy
a valid SSL certificate for Savannah.
I'll be happy to entertain comments/questions/etc. about this, so let me know
what's on your mind.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?106651>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Savannah-help-public] [sr #106651] Savannah should not use CAcert.org-signed SSL certificates,
Reed Loden <=
- [Savannah-help-public] [sr #106651] Savannah should not use CAcert.org-signed SSL certificates, Karl Berry, 2009/02/22
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Sylvain Beucler, 2009/02/24
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Reed Loden, 2009/02/24
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Karl Berry, 2009/02/24
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Sylvain Beucler, 2009/02/25
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Nicodemo Alvaro, 2009/02/26
- [Savannah-help-public] [sr #106651] Savannah should use CAcert.org-signed SSL certificates, Sylvain Beucler, 2009/02/28