[tbb-dev] Tor Messenger and Certificates

Sukhbir Singh azadi at riseup.net
Fri Nov 28 17:45:46 UTC 2014


* Georg Koppen:

> why is that one not in Mozilla's trust store? Do they have documentation
> on how their internal processes wrt to issuing certificates work? Do
> they have audits of that process?

There is a standardized process but I am not aware of that other than
the fact that it exists.


The SPI root cert on the other hand comes bundled with Debian and is
part of ca-certificates.

> Messing with CAs is always a tricky business. And, personally, I am not
> a strong fan of adding root certificates of organizations that can't
> make sure their processes can handle issuing certificates properly,
> quite the contrary. (Btw. I am not claiming that all the other CAs *can*
> make that sure; that's a separate discussion though)
> Instead of adding additional root certificates I'd explore ways of
> getting the necessary certificates installed in the user-friendliest way
> possible when the user is *actually needing* them. (There is no need to
> expose all those users that are neither using OFTC nor jabber.ccc.de to
> the additional risk that comes with shipping these root CAs when using
> Tor Messenger)

This is a good point though I am not sure how the UI can be made better.
My concern is not the UI but the fact that we don't want that the users
have to deal with certificates, especially if they don't know anything
about them. An ideal solution will be to not expose the SPI cert to
users not using OFTC, but that is not possible.

I think we need to discuss this a bit more before we actually bundle the
certs in our public builds (or not.)


More information about the tbb-dev mailing list