Skip to content
This repository has been archived by the owner. It is now read-only.

Investigate adding root certs for CACert and Let's Encrypt #171

Closed
wolfbeast opened this issue Sep 15, 2015 · 8 comments

Comments

@wolfbeast
Copy link
Member

@wolfbeast wolfbeast commented Sep 15, 2015

We should investigate whether we want CACert and Let's Encrypt root certificates in our truststore

Let's Encrypt: https://letsencrypt.org/
CACert: http://www.cacert.org/

@nelegalno

This comment has been minimized.

Copy link

@nelegalno nelegalno commented Oct 20, 2015

https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html - "We’re pleased to announce that we’ve received cross-signatures from IdenTrust ..."

Still getting "Error code: sec_error_ocsp_invalid_signing_cert" on https://helloworld.letsencrypt.org/ tough.

@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Oct 21, 2015

The certificate chain on helloworld.letsencrypt.org does check out when you're not doing an OCSP lookup, and links against the DST root cert (not IdenTrust? Or is that the same?) which is a built-in token for Pale Moon. So it may be an issue with the OCSP server not knowing of this cross-signing (yet)?

@nelegalno

This comment has been minimized.

Copy link

@nelegalno nelegalno commented Oct 26, 2015

https://helloworld.letsencrypt.org/ - seems to be working now.

@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Oct 27, 2015

Cross-signing and OCSP indeed works. I'd still want to investigate adding the root cert to our truststore though.

@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Nov 13, 2015

I'm declining Letsencrypt's addition at this point because of the intended 60-day auto-renewal/90-day expiry and inherent lack of validation as well as security risks involved in such a short-term and automated process.

If someone forgets to renew or how to renew, or doesn't communicate to their backups, successors, etc. that's a reflection on them and their organization/business etc. then that's their problem and something for their customers to hold them accountable for, and not the task of the CA or the certificate framework to mitigate.

@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Nov 13, 2015

Since CACert has not responded at all to my inquiries in 2 months since this issue was opened, I'm not considering them a valid candidate. This means that this issue can now be closed since neither are acceptable.

@wolfbeast wolfbeast closed this Nov 13, 2015
@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Jan 7, 2016

Datapoint: http://www.csoonline.com/article/3019991/security/malvertising-campaign-used-a-free-certificate-from-lets-encrypt.html
Let's Encrypt "as a policy" will not revoke certificates, even when abused. This would be a CA's responsibility which they are not willing to take. 👎

@wolfbeast

This comment has been minimized.

Copy link
Member Author

@wolfbeast wolfbeast commented Apr 10, 2016

CACert has pretty much fallen apart and they are no longer aiming to be audited as a browser cert authority. This makes inclusion in our root store a no-go by default.

Meaning that both are now verified undesirable (CACert was previously still an option).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
2 participants
You can’t perform that action at this time.