<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 92.4pt 1.0in 92.4pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText>Oh, it’s got just so much so very more interesting!<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Evidently the OpenID Foundation Board resolved to
delegate to Debian (a party assumed from a web search on the term Debian) - which
appears to claims to delegate to the package maintainer. Debian seem to assert
that there is (a) a submission process (addressing IPR, no doubt), and (b)
a verification process (addressing "approval" rules).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>"8.7. SSL Infrastructure<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>-----------------------<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> Debian
does provide some SSL certificates with the distribution so<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> that
they can be installed locally. They are found in the<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>
`ca-certificates' package. This package provides a central repository<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> of
certificates that have been submitted to Debian and approved (that<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> is,
verified) by the package maintainer, useful for any OpenSSL<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>
applications which verify SSL connections.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> FIXME:
read debian-devel to see if there was something added to this."<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>[ <a
href="http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt">http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt</a>
]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>On looking into this with trivial effort (far below the level
of reasonableness of a security professional) :-<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>"Note that certificate
authorities whose certificates are included in this package are not in any way
audited for trustworthiness and RFC 3647 compliance, and that full
responsibility to assess them rests with the user."<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>[http://packages.debian.org/etch/ca-certificates]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>So for yesterday's controls on voter OPs/CAs, the packager
maintainer (who MAY be "Fumitoshi UKAI") apparently punts the responsibility
back to the Foundation (as "the user")<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Ok. We are back full circle. Who is responsible at the Foundation
for the security controls of its operational systems for the election software?
Ok ok. I already know the answer. We are only allowed to find out “after”
the election.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Now, yesterday the CA parties on whom the election software
was configured to rely may have been (though strangely, Eddy CA's is also
reputed to have worked:)<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>* spi-inc.org certificate<o:p></o:p></p>
<p class=MsoPlainText> * db.debian.org certificate<o:p></o:p></p>
<p class=MsoPlainText> * debconf.org certificate<o:p></o:p></p>
<p class=MsoPlainText> * Mozilla builtin CA certificates<o:p></o:p></p>
<p class=MsoPlainText> * CACert.org certificates<o:p></o:p></p>
<p class=MsoPlainText> * Brazilian Government Certificate<o:p></o:p></p>
<p class=MsoPlainText> * Signet CA certificates<o:p></o:p></p>
<p class=MsoPlainText> * QuoVadis CA certificates<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>As of today, the list may be being maintained by a
different party (Phillip Kern), who mayhave different criteria.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The new list of CA is rather less transparent then
before, but the punting has become more specific:-<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Please note that certificate
authorities whose certificates are included in this package are not in any way
audited for trustworthiness and RFC 3647 compliance, and that full
responsibility to assess them belongs to the local system administrator.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>[http://packages.debian.org/lenny/ca-certificates]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I wonder who lenny is?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>At <a
href="http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20080809/changelog">http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20080809/changelog</a>
there is some interesting info:-<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>"ca-certificates (20080809)
unstable; urgency=low<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> * New cacert.org.pem
joining both CACert Class 1 and Class 3 certificates.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> This file can
be used for proper certificate chaining if CACert<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> server
certificates are used. The old class3.pem and root.pem<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> certificates
are deprecated. This new file could safely serve as<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> a replacement
for both. (Closes: #494343)<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> * This also reintroduces
the old name for the CACert certificate,<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> thus closing
a long-standing bug about its rename to root.crt.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> (Closes:
#413766)<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'> -- Philipp Kern
<pkern@debian.org> Sat, 09 Aug 2008 14:58:24 -0300"<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Now, don’t I recall Eddy recommend (as a purported member,
and claiming Nominator of a Candidate) that CA.Cert is not a body the Foundation
would really want to associate to closely with -- let alone be partly
responsible for the integrity of its election process?<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>" Give me a break....not
going to argue here at OpenID about the use of CAcert, but it's basically crap!
Not even worth the digital paper those certs are issued on. And their relying
parties agreement is worse than anything else I've seen in this industry so
far. Even worse than VeriSign! Neither does CAcert represent Open Source (sick)
nor anything open at all. Read their subscriber agreement, my friend, educate
yourself!" [http://openid.net/pipermail/general/2008-December/006831.html]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Lket not forget tho, whos said this:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----Original Message-----<o:p></o:p></p>
<p class=MsoPlainText>> From: general-bounces@openid.net
[mailto:general-bounces@openid.net] On<o:p></o:p></p>
<p class=MsoPlainText>> Behalf Of SitG Admin<o:p></o:p></p>
<p class=MsoPlainText>> Sent: Monday, December 15, 2008 2:17 PM<o:p></o:p></p>
<p class=MsoPlainText>> To: David Recordon<o:p></o:p></p>
<p class=MsoPlainText>> Cc: general@openid.net<o:p></o:p></p>
<p class=MsoPlainText>> Subject: Re: [OpenID] Logging in problem<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> >We were running version 20070303 of the
ca-certificates package and<o:p></o:p></p>
<p class=MsoPlainText>> >I've just upgraded it to the latest version of
20080809 which added<o:p></o:p></p>
<p class=MsoPlainText>> >around thirty new CAs.<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> Thanks. Peter - there's your answer, the
ca-certificates package from<o:p></o:p></p>
<p class=MsoPlainText>> March 3rd 2007 should list which CA's were accepted.<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> -Shade<o:p></o:p></p>
<p class=MsoPlainText>> _______________________________________________<o:p></o:p></p>
<p class=MsoPlainText>> general mailing list<o:p></o:p></p>
<p class=MsoPlainText>> general@openid.net<o:p></o:p></p>
<p class=MsoPlainText>> http://openid.net/mailman/listinfo/general<o:p></o:p></p>
</div>
</body>
</html>