From owner-freebsd-security@FreeBSD.ORG Tue May 16 09:15:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6634F16A54A for ; Tue, 16 May 2006 09:15:34 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail14.syd.optusnet.com.au (mail14.syd.optusnet.com.au [211.29.132.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48D1F43D5E for ; Tue, 16 May 2006 09:15:20 +0000 (GMT) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail14.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k4G9FCBj025301 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 16 May 2006 19:15:18 +1000 Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.6/8.13.6) with ESMTP id k4G9FCp0001203; Tue, 16 May 2006 19:15:12 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.6/8.13.6/Submit) id k4G9FCT2001202; Tue, 16 May 2006 19:15:12 +1000 (EST) (envelope-from peter) Date: Tue, 16 May 2006 19:15:12 +1000 From: Peter Jeremy To: "James O'Gorman" Message-ID: <20060516091512.GE714@turion.vk2pj.dyndns.org> Mail-Followup-To: Peter Jeremy , James O'Gorman , FreeBSD Security List References: <4469064F.50102@netinertia.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <4469064F.50102@netinertia.co.uk> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.11 Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 09:15:34 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 2006-May-15 23:53:03 +0100, James O'Gorman wrote: >PS - Once I've worked out how exactly I'm supposed to be doing this, >I'll probably get some "officially" signed certs. I hear CACert are a >good, free way of doing this. Anyone got any comments on that? I've gone through the CAcert assurance process and it seems to work, though a lot depends on your access to other assurers. Note that the CAcert certificates are now part of ports/security/ca-roots though the issue of bootstrapping remains (how do you know that your roots file is genuine). --=20 Peter Jeremy --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEaZgf/opHv/APuIcRAm8WAJ9YozyKpoGVRNj0HOjYWo9fizAGXQCggPx1 aEjrl8pyT3kpndgBMiWOB0A= =C5j3 -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA--