[Operators] May 19th - Permanent encrypted XMPP network and Open Discussion Day

Mikael Nordfeldth mmn at hethane.se
Mon May 19 10:57:41 UTC 2014


On Mon, 19 May 2014, 10:37:23 CEST, Simon Tennant <simon at buddycloud.com> wrote:

> One problem I have noticed:
> 
>       - domains that use CACert certificates are problematic.
> 
> Probably due to cacert being dropped from the trust chain. The site in
> question went to a different registrar and everything works now.

Yes, it is very unfortunate that the TLS forcing comes immediately after the mass removal of the only certificate provider who me and others use broadly. It has become the perfect advertisement campaign for a broken, costly CA system based on corporate trust rather than user trust.

I have personally added the cacert.org root to my ca-certificates folder and removed the blacklisting on systems where such a thing was added by the package manager.
That will continue to be necessary for communicating with @hethane.se.

I'd hope to see others do this too, or simply implement some sort of TOFU policy which can understand new certs when they expire. Or are we all going to put our trust in StartCom from now on? ;)

-- 
Mikael Nordfeldth
XMPP/mail: mmn at hethane.se


More information about the Operators mailing list