[Operators] May 19th - Permanent encrypted XMPP network and Open Discussion Day

Kevin Smith kevin at kismith.co.uk
Mon May 19 11:19:42 UTC 2014


On Mon, May 19, 2014 at 11:57 AM, Mikael Nordfeldth <mmn at hethane.se> wrote:
> On Mon, 19 May 2014, 10:37:23 CEST, Simon Tennant <simon at buddycloud.com> wrote:
>
>> One problem I have noticed:
>>
>>       - domains that use CACert certificates are problematic.
>>
>> Probably due to cacert being dropped from the trust chain. The site in
>> question went to a different registrar and everything works now.
>
> Yes, it is very unfortunate that the TLS forcing comes immediately after the mass removal of the only certificate provider who me and others use broadly. It has become the perfect advertisement campaign for a broken, costly CA system based on corporate trust rather than user trust.
>
> I have personally added the cacert.org root to my ca-certificates folder and removed the blacklisting on systems where such a thing was added by the package manager.
> That will continue to be necessary for communicating with @hethane.se.
>
> I'd hope to see others do this too, or simply implement some sort of TOFU policy which can understand new certs when they expire. Or are we all going to put our trust in StartCom from now on? ;)

As mentioned earlier in this thread, this isn't the case, and whether
people trust individual CAs or not is tangential. Today's change is to
require encryption, not to do authentication with the provided certs.

It seems much more likely that the CA in question is issuing certs
that some software is unable to handle at all, as they're not being
used for authentication.

/K


More information about the Operators mailing list