I've seen a lot of bugreports related to untrusted CAcert root certificate used to sign certificate for https://bugs.gentoo.org/ and don't wanna duplicate them. Instead, I'd like to let you know: it's now possible to get _free_ certificate for https:// signed by trusted CA: https://startssl.com/ They provide non-free advanced certificates (like for wildcard domains), but to get certificate for single domain like bugs.gentoo.org all you'll need to do is confirm you own email like postmaster@gentoo.org and spend about 30 minutes. If CAcert manage to get their root CA certificate accepted by major browsers you can always switch back to their certificates, but for now StartSSL looks like good choice to avoid "invalid certificate" error for all users.
bugs.gentoo.org actually needs a wildcard, *.bugs.gentoo.org to handle attachments safely. StartSSL has been raised before. To save you digging in the broken email archives, we oppose the level of personal information that they want from us. Specifically the personal details here: https://startssl.com/?app=34 (copying these is actually violation of privacy laws in some jurisdictions) The corporate details here are fine. https://startssl.com/?app=35
