It's becoming clearer that CAcert isn't going to be passing a third party audit any time soon. Our only view into it is the open-source code they've made available, and messy wiki documentation. The quality of the code is not exactly comforting - whoever wrote most of it didn't seem to be aware of prepared statements...
Unfortunately, it's true. But note that you will *never* know if these "profesionally" "audited" SSL issuers are aware of prepared statements or not. I don't want to name the company that I used to use which has an always-failing admin panel where you never know what the button is going to do every time you click it. No docs can help it.
I would tend to trust CAcert more than anyone else if only their code was clean. Because it's not I consider them as risky as "professional" SSL issuers where you never know what's behind the scenes. Internets really need commerce-, government- and regulation-free SSL issuers like CAcert. Hope they HTFU and get their code written well some day.
-- Kind regards, Damian Nowak StratusHost www.AtlasHost.eu
