Hi,
* Georg Koppen:
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
There is a standardized process but I am not aware of that other than the fact that it exists.
https://wiki.mozilla.org/CA:How_to_apply
The SPI root cert on the other hand comes bundled with Debian and is part of ca-certificates.
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
This is a good point though I am not sure how the UI can be made better. My concern is not the UI but the fact that we don't want that the users have to deal with certificates, especially if they don't know anything about them. An ideal solution will be to not expose the SPI cert to users not using OFTC, but that is not possible.
I think we need to discuss this a bit more before we actually bundle the certs in our public builds (or not.)