Debian and CAcert

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

CAcert is an SSL/TLS certificate authority (CA) that seeks to be community driven and to provide certificates for free (gratis), which stands in sharp contrast to the other existing CAs. But, in order for CAcert-signed certificates to be accepted by web browsers and other TLS-using applications, the CAcert root certificate must be included in the "trusted certificate store" that operating systems use to determine which CAs to trust. For the most part, CAcert has found it difficult to get included in the distribution-supplied trusted root stores; the discussion in a recently closed Debian bug highlights the problem.

Adding and subtracting CAcert

Debian has been distributing the CAcert root since 2005, when it was added to the ca-certificates package. That has ended with the removal of the certificates from the package by maintainer Michael Shuler in mid-March. That was in response to a bug filed in July 2013 asking for the removal of the CAcert root certificates for a variety of reasons, but mostly because the organization has not passed an audit of its practices. As one might guess, there are a number of different viewpoints regarding the validity and trustworthiness of CAcert-signed certificates; Debian community members were not shy about expressing them.

At the time CAcert was added, the inclusion of certificate roots was done on an ad hoc basis where popularity and "advocating votes from project members" played a role, according to Thijs Kinkhorst. That has changed to follow whatever Mozilla is doing with respect to which root certificates to include. CAcert itself withdrew its Mozilla inclusion request back in 2007, awaiting the results of CAcert's long-stalled internal audit.

Under most criteria, CAcert fails to provide enough assurance that its processes are secure enough to merit inclusion. In addition, the code it uses to manage certificates (which is open source) has some serious problems, as reported by Ansgar Burchardt. But CAcert is different than other CAs in fundamental ways that make it attractive to include its root certificates. As Kinkhorst put it: "CAcert is a bit of a special case because it's the only real community CA, and in that sense very different from the other CA's, and in that sense also close at heart to the way Debian operates." But even he was unsatisfied with the security of CAcert.

As Geoffrey Thomas pointed out, other CAs offer gratis certificates (GlobalSign for open source projects, StartCom for anyone), which moots the argument that CAcert is the only gratis provider, to some extent anyway. But, Alessandro Vesely was not convinced:

It seems to me CAcert certificates are free, not free-of-charge. The difference is between "free beer" and "free speech", as they say. I see that other providers offer free-of-charge certificates, and I consider those marketing strategies ultimately aimed at improving their sales.

Vesely is referring to the organization of CAcert and that it releases its code under the GPL, when he refers to it as "free as in free speech". CAcert certainly has a different philosophy than most other CAs, which is reflected in the goodwill that many in the free software world are willing to grant the organization.

Given that few other distributions (or any major browser vendors) include the CAcert root certificates, Debian's decision to do so doesn't really help, as several pointed out in the bug. If developers get CAcert certificates for their sites and test them from Debian only, they will get a false sense of what their users will see (i.e. the developers won't see the invalid certificate warnings that will pop up for users). The fact that Debian ships CAcert roots can be seen as something of an endorsement of CAcert, which might be intended, but also of its security practices, which probably isn't. But, as Vesely and others pointed out, the other CAs don't have spotless security records; furthermore we can't even see their code to find the kinds of problems Burchardt reported.

Reaction to CAcert removal

Shuler's announcement that the CAcert roots had been removed was met with a number of objections. Christoph Anton Mitterer complained that there was something of a double standard being applied since there are other "doubtful CAs" included in the ca-certificates package. In fact, that package is essentially just the Mozilla-distributed root store with one addition: the Software in the Public Interest (SPI) root certificate—because SPI runs some of the Debian infrastructure.

Axel Beckert suggested adding the CAcert roots back into the package, but disabling them by default. It had come up earlier in the discussion too. The ca-certificates package is a secure way for Debian users who do want those root certificates to get them. Removing them requires those users to find another path.

But Thomas R. Koll was quite supportive of the removal. He was fairly dismissive of arguments against removal:

Please do not reason against the removal, instead you have to prove (every year in my eyes) that CACert is trustworthy. Inverting the burden of proof, as it has [happened] far [too] often in these CACert discussions, is unacceptable when talking about security.

Daniel Kahn Gillmor doesn't see the issue as so clear-cut. While there are criteria that Mozilla uses to exclude some CAs, they aren't necessarily strictly applied to all:

we don't even need audits to know that groups like verisign and rapidssl have failed to avoid mis-issuing certs, and yet we keep them in the ca-certificates package because of the perverse incentives created by the CA ecosystem. some of these CAs are simply "too big to fail" right now; CACert is not, so they're getting called out for their lack of security, whereas we simply can't afford to drop the other CAs because users would complain about not being able to reach their favorite web sites :( This tension results in further concentration of business among the "too big to fail" CAs (since they're the only ones who can issue acceptable certs), which ironically results in them being even less accountable to relying parties in the future. This is not a good long-term dynamic.

He is also skeptical of including the SPI root certificate because it runs some of the Debian infrastructure. In fact, Gillmor said, that's a good reason not to include it as its presence makes it harder to switch away from the Debian infrastructure in the event it gets compromised (or the user is being targeted by someone in charge of Debian infrastructure). "With SPI's root cert, stopping software updates or varying my choice of debian mirror does *not* defend me against malicious use of the CA, and an attack can be much more narrowly tailored and hard to detect."

There are plans to move from certificates signed by the SPI root to those from another CA, Gandi, but Mitterer, at least, is not fond of that plan. It just moves the problem from SPI to Gandi, he said. He suggested that Debian should run its own CA.

While there was a fair amount of support for shipping, but not enabling, the CAcert root certificates, that has not happened, at least yet. As most would agree, the CA system that we have is largely broken in multiple ways, so, to some at least, arbitrarily deciding that CAcert is "insecure" is a bit of a stretch. On the other hand, there is a Mozilla policy that, if followed, would allow the CAcert root into the Mozilla root store (and thus, likely, back into the Debian package), but CAcert has been unable to complete the process for financial or logistical reasons. For now, though, Debian users that want to include CAcert in their root store are on their own.

For the most part, other distributions have not picked up CAcert either. Ubuntu followed the Debian lead for a while and continued that by recently removing the CAcert roots. Perhaps the most significant distributions that include CAcert roots are Mandriva, Arch Linux, Gentoo, and OpenBSD. Some are either descendants of Debian or use the Debian package, so that may change in light of Debian's removal. The best way forward for CAcert would seem to be completing the audit and getting included by Mozilla, but even that doesn't solve the whole problem. One guesses that Microsoft, Google, and Apple might be harder nuts to crack.

