Debian and CAcert

Please consider subscribing to LWN

Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

CAcert is an SSL/TLS certificate authority (CA) that seeks to be community driven and to provide certificates for free (gratis), which stands in sharp contrast to the other existing CAs. But, in order for CAcert-signed certificates to be accepted by web browsers and other TLS-using applications, the CAcert root certificate must be included in the "trusted certificate store" that operating systems use to determine which CAs to trust. For the most part, CAcert has found it difficult to get included in the distribution-supplied trusted root stores; the discussion in a recently closed Debian bug highlights the problem.

Adding and subtracting CAcert

Debian has been distributing the CAcert root since 2005, when it was added to the ca-certificates package. That has ended with the removal of the certificates from the package by maintainer Michael Shuler in mid-March. That was in response to a bug filed in July 2013 asking for the removal of the CAcert root certificates for a variety of reasons, but mostly because the organization has not passed an audit of its practices. As one might guess, there are a number of different viewpoints regarding the validity and trustworthiness of CAcert-signed certificates; Debian community members were not shy about expressing them.

At the time CAcert was added, the inclusion of certificate roots was done on an ad hoc basis where popularity and "advocating votes from project members" played a role, according to Thijs Kinkhorst. That has changed to follow whatever Mozilla is doing with respect to which root certificates to include. CAcert itself withdrew its Mozilla inclusion request back in 2007, awaiting the results of CAcert's long-stalled internal audit.

Under most criteria, CAcert fails to provide enough assurance that its processes are secure enough to merit inclusion. In addition, the code it uses to manage certificates (which is open source) has some serious problems, as reported by Ansgar Burchardt. But CAcert is different than other CAs in fundamental ways that make it attractive to include its root certificates. As Kinkhorst put it: "CAcert is a bit of a special case because it's the only real community CA, and in that sense very different from the other CA's, and in that sense also close at heart to the way Debian operates." But even he was unsatisfied with the security of CAcert.

As Geoffrey Thomas pointed out, other CAs offer gratis certificates (GlobalSign for open source projects, StartCom for anyone), which moots the argument that CAcert is the only gratis provider, to some extent anyway. But, Alessandro Vesely was not convinced:

It seems to me CAcert certificates are free, not free-of-charge. The difference is between "free beer" and "free speech", as they say. I see that other providers offer free-of-charge certificates, and I consider those marketing strategies ultimately aimed at improving their sales.

Vesely is referring to the organization of CAcert and that it releases its code under the GPL, when he refers to it as "free as in free speech". CAcert certainly has a different philosophy than most other CAs, which is reflected in the goodwill that many in the free software world are willing to grant the organization.

Given that few other distributions (or any major browser vendors) include the CAcert root certificates, Debian's decision to do so doesn't really help, as several pointed out in the bug. If developers get CAcert certificates for their sites and test them from Debian only, they will get a false sense of what their users will see (i.e. the developers won't see the invalid certificate warnings that will pop up for users). The fact that Debian ships CAcert roots can be seen as something of an endorsement of CAcert, which might be intended, but also of its security practices, which probably isn't. But, as Vesely and others pointed out, the other CAs don't have spotless security records; furthermore we can't even see their code to find the kinds of problems Burchardt reported.

Reaction to CAcert removal

Shuler's announcement that the CAcert roots had been removed was met with a number of objections. Christoph Anton Mitterer complained that there was something of a double standard being applied since there are other "doubtful CAs" included in the ca-certificates package. In fact, that package is essentially just the Mozilla-distributed root store with one addition: the Software in the Public Interest (SPI) root certificate—because SPI runs some of the Debian infrastructure.

Axel Beckert suggested adding the CAcert roots back into the package, but disabling them by default. It had come up earlier in the discussion too. The ca-certificates package is a secure way for Debian users who do want those root certificates to get them. Removing them requires those users to find another path.

But Thomas R. Koll was quite supportive of the removal. He was fairly dismissive of arguments against removal:

Please do not reason against the removal, instead you have to prove (every year in my eyes) that CACert is trustworthy. Inverting the burden of proof, as it has [happened] far [too] often in these CACert discussions, is unacceptable when talking about security.

Daniel Kahn Gillmor doesn't see the issue as so clear-cut. While there are criteria that Mozilla uses to exclude some CAs, they aren't necessarily strictly applied to all:

He is also skeptical of including the SPI root certificate because it runs some of the Debian infrastructure. In fact, Gillmor said, that's a good reason not to include it as its presence makes it harder to switch away from the Debian infrastructure in the event it gets compromised (or the user is being targeted by someone in charge of Debian infrastructure). "With SPI's root cert, stopping software updates or varying my choice of debian mirror does *not* defend me against malicious use of the CA, and an attack can be much more narrowly tailored and hard to detect."

There are plans to move from certificates signed by the SPI root to those from another CA, Gandi, but Mitterer, at least, is not fond of that plan. It just moves the problem from SPI to Gandi, he said. He suggested that Debian should run its own CA.

While there was a fair amount of support for shipping, but not enabling, the CAcert root certificates, that has not happened, at least yet. As most would agree, the CA system that we have is largely broken in multiple ways, so, to some at least, arbitrarily deciding that CAcert is "insecure" is a bit of a stretch. On the other hand, there is a Mozilla policy that, if followed, would allow the CAcert root into the Mozilla root store (and thus, likely, back into the Debian package), but CAcert has been unable to complete the process for financial or logistical reasons. For now, though, Debian users that want to include CAcert in their root store are on their own.

For the most part, other distributions have not picked up CAcert either. Ubuntu followed the Debian lead for a while and continued that by recently removing the CAcert roots. Perhaps the most significant distributions that include CAcert roots are Mandriva, Arch Linux, Gentoo, and OpenBSD. Some are either descendants of Debian or use the Debian package, so that may change in light of Debian's removal. The best way forward for CAcert would seem to be completing the audit and getting included by Mozilla, but even that doesn't solve the whole problem. One guesses that Microsoft, Google, and Apple might be harder nuts to crack.

Index entries for this article
Security	Certificate Authorities (CAs)

---