[Tracker-discuss] Pseudo protection of b.p.o from MITM

Tue Apr 22 03:22:44 CEST 2014

Anatoly, don't you know that cross-posting is a bad idea?[1]  If you
disagree with the management of bugs.python.org, tracker-discuss is
the right place to post.

anatoly techtonik writes:

 > The b.p.o uses CAcert certificate that was never valid on Windows

Of course it was valid, it was simply not trusted by default.  Given
Microsoft's historical aversion to "free" anything, that's a
completely null signal.

 > and now removed from Ubuntu and Debian, and yet, some people push
 > the idea that it is OK to continue using such certificate for
 > b.p.o.

As pointed out (and never denied) in the thread[2] explaining why
Debian removed CAcert, Debian's "include only 'trustworthy' root
certificates" policy is broken, both in theory and in practice.  With
regard to CAcert, there are no known exploits -- which is not true of
several of the other authorities in Debian's bundle (which is mostly
taken from Mozilla).

Perhaps it's worth moving to a different free root authority, or maybe
even (gasp!)  paying for a well-known commercial certificate, but you
need to find one that satisfies the technical requirement posted by
Martin -- namely, that certs for a particular host should *not* allow
escalation of privilege to all hosts in the python.org domain.  (Note
that if we use a commercial service this probably becomes rather
expensive.)  There may be other requirements I don't know about.

Personally, since I think that the X.509 architecture is broken at the
top in practice (why is Verisign trustworthy? how about the Chinese
National Network Information Center? or the Japanese Ministry of
Education (my employer)? yet most systems -- including Windows --
default to trusting any certificate issued by any of them), having a
root cert that seems trustworthy to me, yet isn't trusted by default,
allowing me to *choose* to assign an appropriate amount of trust to
bugs.python.org, seems to be the most secure option.

I don't know if it's any better than a self-signed cert, of course.

 > I disapprove the decision of these people

What else is new?

 > and hope that somebody from python community can change their
 > convoluted understanding of security.

Security *is* convoluted, and your own understanding of it seems to
be limited since you misuse technical terms like "valid" (there's a
difference between "cannot be validated" and "not valid").

Footnotes: 
[1]  Among other things, it makes it likely that the ban on your
participation will be extended.