Date: Thu, 3 Jul 2014 14:16:25 +0000 From: Mark Felder <feld@freebsd.org> To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me> In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
There is always going to be skepticism about who to trust by default. = The CA system is out of control and it worries me as well. However, if = we do not make an effort to provide a default trust store why do we = enforce verification by default? I feel it would be more consistent to = disable verification requiring those who know what they're doing to = create their own trust store and pass --verify-peer to fetch manually. = I'm on the verge of breaking my keyboard every time I jump onto a random = FreeBSD server and try to fetch something over https. --no-verify-peer is now muscle memory; that isn't a good sign. I eagerly = await verification through DNSSEC to take off. -2c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5c02fe3098089bf6d58834a66f2eeba7>