Thunderbird and Pretty Easy Privacy - current status

Volker Birk vb at
Sat Feb 27 11:31:06 UTC 2016

On Sat, Feb 27, 2016 at 04:58:32PM +1030, Matt Harris wrote:
> On 27/02/2016 3:17 AM, Nathan Tuggy wrote:
> >It’s a sad day when privacy-oriented, bug-savvy Thunderbird contributors
> >can’t recognize a CAcert <>-signed website.
> No  it is reflective of my concerns,  are we going to have these sort of
> meaningless errors just pop up in Thunderbird as well?

Neither this “error” is meaningless (actually, it's not an error), nor you will
have something like this in a mass product.

If you'll have a look on p≡p's business homepage, it's this:

Please check the certificate. You'll see that's the Let's encrypt compromize.

But there is a very good reason to have a CAcert for the source code: actually,
this is one of the only concepts for X.509, which really can transport trust.
And accessing the source code of a security relevant software is a thing where
a MITM is a relevant attack vector.

> It might be a sad day,  but our users are not privacy oriented,  bug savy or
> contributors.

I'm fully agreeing to this statement. But it's sad exactly the same way, that
the same users don't care for the source code. And if you'll have a look on
what is using a CAcert, it's just the source code, nothing else. Everything
where you have to just click to get it to work is using  Let's encrypt – for
the exact reason you're giving here.

> Is P=P based on using certificates from a CA that can not get itself
> integrated into Firefox?

No. p≡p in no way is dependent on CAcert. Hernani is working on a whitepaper
about how p≡p is working. We've it now in the review process. After it's ready,
I will give a note here.

Volker Birk, p≡p project
mailto:vb at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <>

More information about the tb-planning mailing list