I think the community may have unreasonable expectations of CAcert.
Why do CAcert certificates have to be free of charge? Free as in freedom does not necessarily entail freedom from cost. It costs a lot of resources to complete a proper audit of a certifying authority.
People will work at software development without payment because software development is fun. Going through the tedious, but essential, procedure to complete an audit is not fun. If we want it done, properly, we're going to have to pay for it.
I'd have no problem paying a modest amount for a CAcert certificate. Presumably, the operation could be run on a not-for-profit basis and so the certificates would cost much less than the ~ $1,000/year charged by companies like Symantec.
This is just a thought - not a proposal. I don't know what it would take to get CAcert properly audited, beyond the obvious fact that it will take more resources than CAcert will be able to apply in the foreseeable future. Maybe somebody who fully understands the whole process can comment?
I have also seen (somewhere) the rumour that to get Microsoft to recognise a CA for MSIE requires a $50,000 payment to Microsoft. Since MSIE has a shrinking market share, I don't see the need to pay that. I assume that Mozilla and Google just want to see evidence of an audit. But again, maybe someone who knows the facts can comment.
Nick
________________________________
Sent: Monday, 24 March 2014, 16:40
Subject: CAcert & debian
Hi,
http://www.heise.de/netze/meldung/Debian-verzichtet-auf-SSL-Root-Zertifikate-von-CAcert-2153353.html?wt_mc=sm.feed.tw.netze
Jörg