Thunderbird and Pretty Easy Privacy - current status

Volker Birk vb at
Sat Feb 27 15:58:23 UTC 2016

On Sat, Feb 27, 2016 at 01:23:44PM +0100, Sebastian wrote:
> The organization and community of CACert is in a really bad state
> currently. Community and board strongly disagree.

That's actually true. I learned from this conflict on FOSDEM.

> CACert has a great idea, but not a trustworthy organization at the moment.

I see this point different.

> I can't think of any reasons to use certificates signed by them, as
> there's now letsencypt anyway.

CAcert and Let's encrypt are trying to solve totally different problems.

CAcert is trying to solve the problem that the concept of commercial CAs
is not trustworthy at all (which is the case).

Let's encrypt is trying to solve the problem that way too many people
don't encrypt their webservers, which to have is better than nothing, and
together with TOFU/CP is a compromize.

The two projects are fighting at different fronts.

> uses such a certificate. is using a Let's encrypt certificate. is using a CAcert certificate. is using a Let's encrypt certificate. is using a CAcert certificate.

Or, sorted:

All, which may be used by end users is using Let's encrypt certificates:

All, which is depending on trust is using CAcert certificates. The domain names
give this information, so it's not a surprise. Because security relevant things
are being read by security interested people, this is signalled: is for business customers. So it makes no sense
to use CAcert at this point of time. is making a
political statement by pointing to the topic not using a “CA of the list” – the
trust problem still is unsolved. TOFU and Certificate Pinning are helpers, but
don't solve the problem.

> - pEp wants to reach non-exerienced users, they don't know of CACert

Yes. And that's why we're not using CAcert certificates on websites for
non-experienced users.

> - the certificate is only valid for, thus also
> gives a ssl_error_bad_cert_domain for is nowhere linked or used. Actually it's a bug that it
does not give an error and deliver nothing.

Volker Birk, p≡p project
mailto:vb at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <>

More information about the tb-planning mailing list