[tbb-dev] Tor Messenger and Certificates

Sukhbir Singh azadi at riseup.net
Tue Nov 25 17:33:57 UTC 2014


Here is an update about shipping certificates with Tor Messenger:

We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this
root certificate is also bundled with Debian, we are not worried about
this. (We are being transparent in the build system that we are bundling
this cert and will be more so in the documentation and public

Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to
the question -- should we be bundling the CAcert root certificate? I
base this question on the fact that it is not shipped with Debian (or
Ubuntu) or Mozilla, and there seems to be a lot of discussion (one
example: http://lwn.net/Articles/590879/) about this topic. Should we
ship this with Tor Messenger then?

Another alternative solution is to add the jabber.ccc.de certificate
itself and not the CAcert root (which is currently what is in the
repository).  But I think that's probably even worse given that I am
adding the CCC cert itself as a root cert.


(For the record, we are adding certificates during the build process by
updating certdata.txt.)


More information about the tbb-dev mailing list