Bug 538219 - Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates
Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-17 18:27 EST by Robert Scheck
Modified: 2009-11-18 18:16 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 04:48:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to add the missing functionality to mkcabundle.pl (1.08 KB, patch)
2009-11-17 18:56 EST, Robert Scheck
no flags Details | Diff

  None (edit)
Description Robert Scheck 2009-11-17 18:27:17 EST
Description of problem:
Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates.

Since the Thawte Web of Trust was shut down two days ago, the only remaining
Web of Trust seems to be CAcert. I'm wondering, that the community project is
not included in Fedora's ca-bundle.crt right now.

Using the CAcert certificates, you e.g. can sign and encrypt your e-mails by
using the S/MIME standard. Without the root CA of CAcert, the path is broken.

- http://www.cacert.org/certs/root.txt
- http://www.cacert.org/certs/class3.txt

Please ensure that both CAcert CAs (Class 1 and 3) are added to Fedora's
ca-bundle.crt.

Version-Release number of selected component (if applicable):
ca-certificates-2009-2

How reproducible:
Everytime, see above.

Actual results:
Fedora's ca-bundle.crt doesn't contain the CAcert CA certificates.

Expected results:
Fedora is shipping the CAcert CA certificates.

Additional info:
Please update the ca-certificates package at all active Fedora branches with
an official update.
Comment 1 Robert Scheck 2009-11-17 18:56:18 EST
Created attachment 369982 [details]
Patch to add the missing functionality to mkcabundle.pl
Comment 2 Robert Scheck 2009-11-17 19:49:43 EST
As the same issue exists in RHEL, the RHEL issue is tracked in bug #538222
Comment 3 Joe Orton 2009-11-18 03:47:58 EST
The root CA bundle is kept in sync with the Mozilla CA bundle.  The CACert root cert will be included if and only Mozilla upstream accept it.

The bug tracking CACert's inclusion in the Mozilla root CA bundle is here:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243
Comment 4 Robert Scheck 2009-11-18 04:22:49 EST
I don't care about Mozilla and their crazy thinking and their for years now
existing but never-finished processes about what should be included or not.

We are Fedora, not Mozilla. We've "first", "freedom", "friends", "features"
in our F.

We even don't include our Fedora CA which unfortunately causes same trouble
to our Fedora users. And in fact, CAcert is one of *the* open and community
CAs.

And when looking to RHEL, Red Hat even includes their own CA there. I can't
see any good reason not to do the same or similar for Fedora.

If you don't agree with me, I'll open a FESCo ticket to escalate here.
Comment 5 Tomas Mraz 2009-11-18 04:41:26 EST
We are not in a position to manage a trusted root certificate list ourselves. We would have to carefully examine policies (and even better verify that the CAs actually adhere to them) of the certificate authorities ourselves and that is not a job for a single package maintainer in Fedora.

But feel free to escalate to FESCo but I do not think they can force the burden of managing such list to any single package maintainer.
Comment 6 Joe Orton 2009-11-18 04:48:45 EST
As Tomas says, the Fedora Project does not have the resources to vet and validate third-party Certificate Authorities ourselves.  Mozilla have an excellent process for doing this and I trust them to follow it.  They are our upstream here, and it is right and proper that we defer to them.  Doing it this way also means that OpenSSL- and GnuTLS-based packages can keep vaguely in sync with NSS-based packages within the distribution, so far as the root CA bundle goes.

If you have issues with the Mozilla CA process I would expect you to attempt to resolve such issues upstream in the first instance, as we would with any other upstream project.  Making extravagant claims about their "crazy thinking" does not in any way encourage me to trust you above them in making decisions on what CAs we should include in the root CA bundle.

Please do not re-open this bug.  We can discuss further on fedora-devel if you wish.
Comment 7 Robert Scheck 2009-11-18 18:16:45 EST
FESCo ticket: https://fedorahosted.org/fesco/ticket/276

Note You need to log in before you can comment on or make changes to this bug.