Thunderbird and Pretty Easy Privacy - current status

Volker Birk vb at pep-project.org
Sat Feb 27 15:58:23 UTC 2016


On Sat, Feb 27, 2016 at 01:23:44PM +0100, Sebastian wrote:
> The organization and community of CACert is in a really bad state
> currently. Community and board strongly disagree.

That's actually true. I learned from this conflict on FOSDEM.

> CACert has a great idea, but not a trustworthy organization at the moment.

I see this point different.

> I can't think of any reasons to use certificates signed by them, as
> there's now letsencypt anyway.

CAcert and Let's encrypt are trying to solve totally different problems.

CAcert is trying to solve the problem that the concept of commercial CAs
is not trustworthy at all (which is the case).

Let's encrypt is trying to solve the problem that way too many people
don't encrypt their webservers, which to have is better than nothing, and
together with TOFU/CP is a compromize.

The two projects are fighting at different fronts.

> pep.foundation uses such a certificate.

https://pep.foundation is using a Let's encrypt certificate.
https://cacert.pep.foundation is using a CAcert certificate.

https://prettyeasyprivacy.com is using a Let's encrypt certificate.
https://cacert.pep-project.org is using a CAcert certificate.

Or, sorted:

All, which may be used by end users is using Let's encrypt certificates:

https://pep.foundation
https://prettyeasyprivacy.com

All, which is depending on trust is using CAcert certificates. The domain names
give this information, so it's not a surprise. Because security relevant things
are being read by security interested people, this is signalled:

https://cacert.pep.foundation
https://cacert.pep-project.org

https://prettyeasyprivacy.com is for business customers. So it makes no sense
to use CAcert at this point of time. http://pep-project.org is making a
political statement by pointing to the topic not using a “CA of the list” – the
trust problem still is unsolved. TOFU and Certificate Pinning are helpers, but
don't solve the problem.

> - pEp wants to reach non-exerienced users, they don't know of CACert

Yes. And that's why we're not using CAcert certificates on websites for
non-experienced users.

> - the certificate is only valid for cacert.pep-project.org, thus also
> gives a ssl_error_bad_cert_domain for https://pep-project.org/

https://pep-project.org/ is nowhere linked or used. Actually it's a bug that it
does not give an error and deliver nothing.

Yours,
VB.
-- 
Volker Birk, p≡p project
mailto:vb at pep-project.org  http://www.pep-project.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20160227/0720beac/attachment.sig>


More information about the tb-planning mailing list