[Dev] Why don't we use a proper certificate?

[Luke Shumaker]

On Sat, 06 Jun 2015 08:05:07 -0600,
Joseph Graham wrote:
> 
> Please upgrade to a proper cert, CaCert is even less secure than a
> commercial cert provider and they keys are not included in most browsers.

When Parabola adopted CAcert as our CA, it was trusted by most major
distros.  It is trusted by Arch Linux today (though when Debian
dropped CAcert, Arch briefly followed suit), where most of our new
users come from^[citation-needed].

CAcert has not been properly audited (the reason for exclusion by
Mozilla), but that does not mean that they are entirely less secure.
We have seen major breaches by "commercial cert provider[s]";
CNNIC/MCS (2015), India's NIC (2014), Comodo (2011).  These breaches
all come from a mis-behaving intermediate CA.  CAcert is its own
intermediate CA; this type of breach cannot happen to CAcert.  The
lack of an audit means that fewer things are provable about the
security, not that it is nescessariuly less secure.

Even if CAcert were verifiably less secure, we would still be
interested in using them.  They are the only community run CA--as I'm
sure you have realized, community is highly valued by Parabola.  While
we are pleased with the IETF's recent push towards "use TLS for all
the things", it has created more centralization on a few root CAs,
whose dominance raises the barrier for entry to participating on the
WWW as a publisher.  Even StartSSL, who provides gratis personal-use
certificates, charges for revocations; undermining the point.  We need
a community CA, and right now CAcert is the only one.

That said, we do plan on getting certs from Let's Encrypt when they
become available ("Mid-2015").  Let's Encrypt certs will be recognized
by most browsers and operating systems.  Though not entirely
community-run, they have engaged and involved the community, and are
producing free software to make it possible to opperate an autitable
and secure CA--a boon for everyone.

--
Happy hacking,
~ Luke Shumaker