Description of problem: Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates. Since the Thawte Web of Trust was shut down two days ago, the only remaining Web of Trust seems to be CAcert. I'm wondering, that the community project is not included in Fedora's ca-bundle.crt right now. Using the CAcert certificates, you e.g. can sign and encrypt your e-mails by using the S/MIME standard. Without the root CA of CAcert, the path is broken. - http://www.cacert.org/certs/root.txt - http://www.cacert.org/certs/class3.txt Please ensure that both CAcert CAs (Class 1 and 3) are added to Fedora's ca-bundle.crt. Version-Release number of selected component (if applicable): ca-certificates-2009-2 How reproducible: Everytime, see above. Actual results: Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates. Expected results: Fedora is shipping the CAcert CA certificates. Additional info: Please update the ca-certificates package at all active Fedora branches with an official update.
Created attachment 369982 [details] Patch to add the missing functionality to mkcabundle.pl
As the same issue exists in RHEL, the RHEL issue is tracked in bug #538222
The root CA bundle is kept in sync with the Mozilla CA bundle. The CACert root cert will be included if and only Mozilla upstream accept it. The bug tracking CACert's inclusion in the Mozilla root CA bundle is here: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
I don't care about Mozilla and their crazy thinking and their for years now existing but never-finished processes about what should be included or not. We are Fedora, not Mozilla. We've "first", "freedom", "friends", "features" in our F. We even don't include our Fedora CA which unfortunately causes same trouble to our Fedora users. And in fact, CAcert is one of *the* open and community CAs. And when looking to RHEL, Red Hat even includes their own CA there. I can't see any good reason not to do the same or similar for Fedora. If you don't agree with me, I'll open a FESCo ticket to escalate here.
We are not in a position to manage a trusted root certificate list ourselves. We would have to carefully examine policies (and even better verify that the CAs actually adhere to them) of the certificate authorities ourselves and that is not a job for a single package maintainer in Fedora. But feel free to escalate to FESCo but I do not think they can force the burden of managing such list to any single package maintainer.
As Tomas says, the Fedora Project does not have the resources to vet and validate third-party Certificate Authorities ourselves. Mozilla have an excellent process for doing this and I trust them to follow it. They are our upstream here, and it is right and proper that we defer to them. Doing it this way also means that OpenSSL- and GnuTLS-based packages can keep vaguely in sync with NSS-based packages within the distribution, so far as the root CA bundle goes. If you have issues with the Mozilla CA process I would expect you to attempt to resolve such issues upstream in the first instance, as we would with any other upstream project. Making extravagant claims about their "crazy thinking" does not in any way encourage me to trust you above them in making decisions on what CAs we should include in the root CA bundle. Please do not re-open this bug. We can discuss further on fedora-devel if you wish.
FESCo ticket: https://fedorahosted.org/fesco/ticket/276