Thunderbird and Pretty Easy Privacy - current status
vb at pep-project.org
Sat Feb 27 11:31:06 UTC 2016
On Sat, Feb 27, 2016 at 04:58:32PM +1030, Matt Harris wrote:
> On 27/02/2016 3:17 AM, Nathan Tuggy wrote:
> >It’s a sad day when privacy-oriented, bug-savvy Thunderbird contributors
> >can’t recognize a CAcert <http://www.cacert.org/>-signed website.
> No it is reflective of my concerns, are we going to have these sort of
> meaningless errors just pop up in Thunderbird as well?
Neither this “error” is meaningless (actually, it's not an error), nor you will
have something like this in a mass product.
If you'll have a look on p≡p's business homepage, it's this:
Please check the certificate. You'll see that's the Let's encrypt compromize.
But there is a very good reason to have a CAcert for the source code: actually,
this is one of the only concepts for X.509, which really can transport trust.
And accessing the source code of a security relevant software is a thing where
a MITM is a relevant attack vector.
> It might be a sad day, but our users are not privacy oriented, bug savy or
I'm fully agreeing to this statement. But it's sad exactly the same way, that
the same users don't care for the source code. And if you'll have a look on
what is using a CAcert, it's just the source code, nothing else. Everything
where you have to just click to get it to work is using Let's encrypt – for
the exact reason you're giving here.
> Is P=P based on using certificates from a CA that can not get itself
> integrated into Firefox?
No. p≡p in no way is dependent on CAcert. Hernani is working on a whitepaper
about how p≡p is working. We've it now in the review process. After it's ready,
I will give a note here.
Volker Birk, p≡p project
mailto:vb at pep-project.org http://www.pep-project.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the tb-planning