Thunderbird and Pretty Easy Privacy - current status
vb at pep-project.org
Sat Feb 27 15:58:23 UTC 2016
On Sat, Feb 27, 2016 at 01:23:44PM +0100, Sebastian wrote:
> The organization and community of CACert is in a really bad state
> currently. Community and board strongly disagree.
That's actually true. I learned from this conflict on FOSDEM.
> CACert has a great idea, but not a trustworthy organization at the moment.
I see this point different.
> I can't think of any reasons to use certificates signed by them, as
> there's now letsencypt anyway.
CAcert and Let's encrypt are trying to solve totally different problems.
CAcert is trying to solve the problem that the concept of commercial CAs
is not trustworthy at all (which is the case).
Let's encrypt is trying to solve the problem that way too many people
don't encrypt their webservers, which to have is better than nothing, and
together with TOFU/CP is a compromize.
The two projects are fighting at different fronts.
> pep.foundation uses such a certificate.
https://pep.foundation is using a Let's encrypt certificate.
https://cacert.pep.foundation is using a CAcert certificate.
https://prettyeasyprivacy.com is using a Let's encrypt certificate.
https://cacert.pep-project.org is using a CAcert certificate.
All, which may be used by end users is using Let's encrypt certificates:
All, which is depending on trust is using CAcert certificates. The domain names
give this information, so it's not a surprise. Because security relevant things
are being read by security interested people, this is signalled:
https://prettyeasyprivacy.com is for business customers. So it makes no sense
to use CAcert at this point of time. http://pep-project.org is making a
political statement by pointing to the topic not using a “CA of the list” – the
trust problem still is unsolved. TOFU and Certificate Pinning are helpers, but
don't solve the problem.
> - pEp wants to reach non-exerienced users, they don't know of CACert
Yes. And that's why we're not using CAcert certificates on websites for
> - the certificate is only valid for cacert.pep-project.org, thus also
> gives a ssl_error_bad_cert_domain for https://pep-project.org/
https://pep-project.org/ is nowhere linked or used. Actually it's a bug that it
does not give an error and deliver nothing.
Volker Birk, p≡p project
mailto:vb at pep-project.org http://www.pep-project.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the tb-planning