[OpenID] Logging in problem

Peter Williams pwilliams at rapattoni.com
Mon Dec 15 23:11:55 UTC 2008 

Oh, it's got just so much so very more interesting!



Evidently the OpenID Foundation Board resolved to delegate to Debian (a party assumed from a web search on the term Debian) - which appears to claims to delegate to the package maintainer. Debian seem to assert that there is (a) a submission process (addressing IPR, no doubt),  and (b) a verification process (addressing "approval" rules).



"8.7. SSL Infrastructure

-----------------------



     Debian does provide some SSL certificates with the distribution so

     that they can be installed locally.  They are found in the

     `ca-certificates' package.  This package provides a central repository

     of certificates that have been submitted to Debian and approved (that

     is, verified) by the package maintainer, useful for any OpenSSL

     applications which verify SSL connections.



     FIXME: read debian-devel to see if there was something added to this."



[ http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt ]







On looking into this with trivial effort (far below the level of reasonableness of a security professional) :-





"Note that certificate authorities whose certificates are included in this package are not in any way audited for trustworthiness and RFC 3647 compliance, and that full responsibility to assess them rests with the user."

[http://packages.debian.org/etch/ca-certificates]



So for yesterday's controls on voter OPs/CAs, the packager maintainer (who MAY be "Fumitoshi UKAI") apparently punts the responsibility back to the Foundation (as "the user")



Ok. We are back full circle. Who is responsible at the Foundation for the security controls of its operational systems for the election software? Ok ok. I already know the answer. We are only allowed to find out "after" the election.



Now, yesterday the CA parties on whom the election software was configured to rely may have been (though strangely, Eddy CA's is also reputed to have worked:)



* spi-inc.org certificate

 * db.debian.org certificate

 * debconf.org certificate

 * Mozilla builtin CA certificates

 * CACert.org certificates

 * Brazilian Government Certificate

 * Signet CA certificates

 * QuoVadis CA certificates





As of today, the list may be being maintained by a different party (Phillip Kern), who mayhave different criteria.



The new list of CA is rather less transparent then before, but the punting has become more specific:-



Please note that certificate authorities whose certificates are included in this package are not in any way audited for trustworthiness and RFC 3647 compliance, and that full responsibility to assess them belongs to the local system administrator.



[http://packages.debian.org/lenny/ca-certificates]



I wonder who lenny is?





At http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20080809/changelog there is some interesting info:-





"ca-certificates (20080809) unstable; urgency=low



  * New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.

    This file can be used for proper certificate chaining if CACert

    server certificates are used.  The old class3.pem and root.pem

    certificates are deprecated.  This new file could safely serve as

    a replacement for both.  (Closes: #494343)

  * This also reintroduces the old name for the CACert certificate,

    thus closing a long-standing bug about its rename to root.crt.

    (Closes: #413766)



 -- Philipp Kern <pkern at debian.org>  Sat, 09 Aug 2008 14:58:24 -0300"



Now, don't I recall Eddy recommend (as a purported member, and claiming Nominator of a Candidate) that CA.Cert is not a body the Foundation would really want to associate to closely with -- let alone be partly responsible for  the integrity of its election process?



" Give me a break....not going to argue here at OpenID about the use of CAcert, but it's basically crap! Not even worth the digital paper those certs are issued on. And their relying parties agreement is worse than anything else I've seen in this industry so far. Even worse than VeriSign! Neither does CAcert represent Open Source (sick) nor anything open at all. Read their subscriber agreement, my friend, educate yourself!" [http://openid.net/pipermail/general/2008-December/006831.html]







Lket not forget tho, whos said this:





-----Original Message-----

> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On

> Behalf Of SitG Admin

> Sent: Monday, December 15, 2008 2:17 PM

> To: David Recordon

> Cc: general at openid.net

> Subject: Re: [OpenID] Logging in problem

>

> >We were running version 20070303 of the ca-certificates package and

> >I've just upgraded it to the latest version of 20080809 which added

> >around thirty new CAs.

>

> Thanks. Peter - there's your answer, the ca-certificates package from

> March 3rd 2007 should list which CA's were accepted.

>

> -Shade

> _______________________________________________

> general mailing list

> general at openid.net

> http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081215/14a70f0b/attachment-0002.htm>

More information about the general mailing list