[tbb-dev] Tor Messenger and Certificates

Georg Koppen gk at torproject.org
Wed Nov 26 09:00:47 UTC 2014


Sukhbir Singh:
> Hi,
> Here is an update about shipping certificates with Tor Messenger:
> We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this
> root certificate is also bundled with Debian, we are not worried about
> this. (We are being transparent in the build system that we are bundling
> this cert and will be more so in the documentation and public
> announcement.)

why is that one not in Mozilla's trust store? Do they have documentation
on how their internal processes wrt to issuing certificates work? Do
they have audits of that process?

> Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to
> the question -- should we be bundling the CAcert root certificate? I
> base this question on the fact that it is not shipped with Debian (or
> Ubuntu) or Mozilla, and there seems to be a lot of discussion (one
> example: http://lwn.net/Articles/590879/) about this topic. Should we
> ship this with Tor Messenger then?

Messing with CAs is always a tricky business. And, personally, I am not
a strong fan of adding root certificates of organizations that can't
make sure their processes can handle issuing certificates properly,
quite the contrary. (Btw. I am not claiming that all the other CAs *can*
make that sure; that's a separate discussion though)

Instead of adding additional root certificates I'd explore ways of
getting the necessary certificates installed in the user-friendliest way
possible when the user is *actually needing* them. (There is no need to
expose all those users that are neither using OFTC nor jabber.ccc.de to
the additional risk that comes with shipping these root CAs when using
Tor Messenger)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20141126/8881fbcb/attachment.sig>

More information about the tbb-dev mailing list