Hi,
Sukhbir Singh:
Hi,
Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
Georg