Hi,
Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Another alternative solution is to add the jabber.ccc.de certificate itself and not the CAcert root (which is currently what is in the repository). But I think that's probably even worse given that I am adding the CCC cert itself as a root cert.
Thoughts?
(For the record, we are adding certificates during the build process by updating certdata.txt.)