Date: Sat, 5 Jul 2014 19:22:37 +1000 From: Alastair Hogge <agh@fastmail.fm> To: Axel Rau <Axel.Rau@Chaos1.DE> Cc: FreeBSD-security@FreeBSD.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140705092237.GA94704@kropotkin.aux.io> In-Reply-To: <A640A06B-4A40-4086-A5C0-3F32FF62BFD0@Chaos1.DE> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com> <20140703221448.GA99094@calvin.ustdmz.roe.ch> <21429.55379.293697.133423@hergotha.csail.mit.edu> <A640A06B-4A40-4086-A5C0-3F32FF62BFD0@Chaos1.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-07-05 Sat 10:43:16 +0200, Axel Rau wrote: > > Am 04.07.2014 um 00:25 schrieb Garrett Wollman <wollman@bimajority.org>: > > > <<On Fri, 4 Jul 2014 00:14:48 +0200, Daniel Roethlisberger <daniel@roe.ch> said: > > > >> [1] There is no such thing as a perfect CA bundle (i.e. both > >> secure *and* usable) given how broken the whole CA system is > >> these days. > > > > So is anyone working on DANE support in libfetch and other base-system > > utilities? Let's lead on this rather than just flaming about how CAs > > suckā¦. > +1 DANE is the route to go in the future. > It perfectly matches the use case discussed here. +1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140705092237.GA94704>