|
List Info
Thread: OT: CACert included in Kubuntu?
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 17:19:08 |
Hi folks,
Offtopic here but I wanted to see if anyone could confirm
this. I noticed
today that jabber.ru, signed by CACert, was validating with
QCA on my Kubuntu
system. I don't believe I ever installed CACert as a root
authority.
In fact, it is cert #1 in the systemstore:
$ qcatool --list-keystore sys | grep "CA Cert"
Cert 1 [CA Cert Signing Authority]
$ qcatool --showcert sys:1
Serial Number: 0
Subject
Name: CA Cert Signing Authority
Organization: Root CA
Organizational Unit: http://www.cacert.org
...
I find this a bit concerning. CA Cert might be great, but
even Mozilla has
not accepted them as far as I know. I'm not sure how
Kubuntu can justify
this, when I doubt they have nearly the security policies as
Mozilla.
This is probably also true for plain Ubuntu, but I haven't
confirmed.
-Justin
_______________________________________________
psi-devel mailing list
psi-devel lists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 17:32:57 |
On Tuesday 28 November 2006 19:19, Justin Karneges wrote:
> Offtopic here but I wanted to see if anyone could
confirm this. I noticed
> today that jabber.ru, signed by CACert, was validating
with QCA on my
> Kubuntu system. I don't believe I ever installed
CACert as a root
> authority.
Well... I don't use (K)Ubuntu on a regular base, but Google
told me this:
http://w
ww.google.com/search?q=cacert+ubuntu
Apparenly, you're right
Mircea
/IceRAM
--
Psi Forums Moderator/Bug Tracker Manager
Psi Windows Installer Maintainer/ArchLinux Package
Maintainer
http://mircea.bardac.net
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 17:37:36 |
> Offtopic here but I wanted to see if anyone could
confirm this. I noticed
> today that jabber.ru, signed by CACert, was validating
with QCA on my Kubuntu
> system. I don't believe I ever installed CACert as a
root authority.
I'm on Ubuntu.
$ apt-cache showpkg ca-certificates
Package: ca-certificates
Versions:
20050804(/var/lib/apt/lists/be.archive.ubuntu.com_ubuntu_dis
ts_dapper_main_binary-i386_Packages)(/var/lib/apt/lists/arch
ive.ubuntu.com_ubuntu_dists_dapper_main_binary-i386_Packages
)(/var/lib/dpkg/status)
Reverse Depends:
sendmail-base,ca-certificates
openssl,ca-certificates
mutt,ca-certificates
w3mmee,ca-certificates
sendmail-base,ca-certificates
libapache-mod-ssl,ca-certificates
balsa,ca-certificates
w3m,ca-certificates
openssl,ca-certificates
mutt,ca-certificates
libcurl3-gnutls,ca-certificates
libcurl3,ca-certificates
fetchmail,ca-certificates
I'm no expert, but it looks to me that a load of essential
packages in
Ubuntu depends on ca-certificates. I tried removing it, but
got an
error for one of the listed packages.
cheers,
Remko
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 21:37:40 |
> I find this a bit concerning. CA Cert might be great,
but even Mozilla has
> not accepted them as far as I know. I'm not sure how
Kubuntu can justify
> this, when I doubt they have nearly the security
policies as Mozilla.
Also Debian has accepted CA cert certificates,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213086, so ubuntu and
kubuntu automatically accepts them too. I expect that
mozilla will accept
them too, we need just some more time. The CAcert
certificates are more
trustfull than many others, which are already presented in
chains. Best
security practice is removing all certificates and use only
some of them.
cheers
dan
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 23:09:27 |
On Tuesday 28 November 2006 1:37 pm, Dan Ohnesorg wrote:
> > I find this a bit concerning. CA Cert might be
great, but even Mozilla
> > has not accepted them as far as I know. I'm not
sure how Kubuntu can
> > justify this, when I doubt they have nearly the
security policies as
> > Mozilla.
>
> Also Debian has accepted CA cert certificates,
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213086, so ubuntu and
> kubuntu automatically accepts them too. I expect that
mozilla will accept
> them too, we need just some more time. The CAcert
certificates are more
> trustfull than many others, which are already presented
in chains.
I don't think it is fair to call CAcert more trustworthy.
Presently, WebTrust
certification is used to determine what counts as a root CA,
and the simple
fact is that CAcert has not been certified. I'm not sure
what Debian is
thinking here.
StartCom ( http://cert.startcom.org/ ) looks interesting. It is free like
CAcert, yet also certified and already going into browsers.
> Best security practice is removing all certificates and
use only some of
> them.
And unfortunately a usability nightmare. :(
-Justin
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-28 23:15:37 |
Justin Karneges wrote:
>> Best security practice is removing all certificates
and use only some of
>> them.
>
> And unfortunately a usability nightmare. :(
I'd like to see VeriSign helpdesk's face when someone
(normal user!)
called them to ask for the fingerprint ;)
--
Maciek
xmpp:machekkuuaznia.net
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-29 23:09:03 |
On Tuesday 28 November 2006 9:19 am, Justin Karneges wrote:
> I find this a bit concerning. CA Cert might be great,
but even Mozilla has
> not accepted them as far as I know. I'm not sure how
Kubuntu can justify
> this, when I doubt they have nearly the security
policies as Mozilla.
>
> This is probably also true for plain Ubuntu, but I
haven't confirmed.
It looks like CAcert is in at least Debian (and
derivatives), Gentoo, and the
Nokia 770 phone. And this isn't a new thing either, the
following blog post
is over a year old:
http://blog.c
acert.org/2005/11/110.html
-Justin
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-30 12:12:14 |
On Wednesday 29 November 2006 10:15, Maciek Niedzielski
wrote:
> Justin Karneges wrote:
> >> Best security practice is removing all
certificates and use only some of
> >> them.
> >
> > And unfortunately a usability nightmare. :(
>
> I'd like to see VeriSign helpdesk's face when someone
(normal user!)
> called them to ask for the fingerprint ;)
But there is a damn good point here. How do we know if the
key for "Verisign"
on my machine right now was actually made by them? And do I
even trust a
corporation in the first place? (Didn't they make an
enormous screw-up a
while back?)
TX
--
Email: trejkaztrypticon.org
Jabber ID: trejkaztrypticon.org
Web site: http://trypticon.org/
GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F A62C B8C7 BC8B
037E EA73
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-30 17:56:55 |
On Thursday 30 November 2006 4:12 am, Trejkaz wrote:
> On Wednesday 29 November 2006 10:15, Maciek Niedzielski
wrote:
> > Justin Karneges wrote:
> > >> Best security practice is removing all
certificates and use only some
> > >> of them.
> > >
> > > And unfortunately a usability nightmare. :(
> >
> > I'd like to see VeriSign helpdesk's face when
someone (normal user!)
> > called them to ask for the fingerprint ;)
>
> But there is a damn good point here. How do we know if
the key for
> "Verisign" on my machine right now was
actually made by them?
You have to trust that your distribution obtains its files
from reliable
sources. This is always true, and for any package they
provide. If you
can't trust your own operating system, then this entire
discussion is
meaningless.
Next, you need a secure way of obtaining the
distribution/OS. With Windows,
you buy it in a box or it comes in your computer.
Downloading an unencrypted
Linux ISO over HTTP is not something I'd consider secure.
However, there are
a number of things you can do to verify the integrity of
your files (not that
anyone does these things). If you can get Mark Shuttleworth
to personally
hand you an Ubuntu CD-ROM, even better.
Actually, this practice of secure retrieval should apply to
*any* software
package you obtain from *anywhere*, not just your operating
system. This is
why I'd like to get HTTPS and Code Signing for Psi
downloads, so users can
ensure they are getting an untainted package.
> And do I
> even trust a corporation in the first place? (Didn't
they make an enormous
> screw-up a while back?)
They did make a screw-up. However, the fact is that we
still trust them to do
their job more than we trust anyone else to do it. The same
goes for
software authors that provide packages to us with security
holes.
Your bank trusts Verisign. In that context, you should too.
On one hand, you
have an authority system where business, bank, and
government interactions
take place effortlessly. On the other hand, you could have
your own personal
system where you independently verify every public key you
encounter. The
latter is as secure as you make it to be. The former may
not be as secure,
because of all the trust in third-parties, but it is the one
the world has
chosen, and within it we are all equally vulnerable (just
like credit cards,
or passports). Both realms have their place.
-Justin
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
| OT: CACert included in Kubuntu? |
|
2006-11-30 18:26:55 |
On Thu, Nov 30, 2006 at 09:56:55AM -0800, Justin Karneges
wrote:
>
> Actually, this practice of secure retrieval should
apply to *any* software
> package you obtain from *anywhere*, not just your
operating system. This is
> why I'd like to get HTTPS and Code Signing for Psi
downloads, so users can
> ensure they are getting an untainted package.
>
The standard paractice is providing md5 oder sha1 sums at an
trusted
location or sign them with gpg with a key that the user
might trust.
I think https won't help very much except raise server load
for the
downloads. But having the checksum download
"secured" with ssl migth be
useful.
I personally distrust the whole CA stuff¹, but some people
might feel better
that way.
- Martin H.
¹ at least for anything someone would really want to
compromise..
_______________________________________________
psi-devel mailing list
psi-devellists.affinix.com
http://lists.affinix.com/listinfo.cgi/psi-devel-affin
ix.com
|
|
|
|