From owner-freebsd-security@FreeBSD.ORG  Thu Jul  3 02:28:48 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 00A36A55;
 Thu,  3 Jul 2014 02:28:47 +0000 (UTC)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 861902E3F;
 Thu,  3 Jul 2014 02:28:47 +0000 (UTC)
Received: from kgw.obluda.cz ([194.108.204.138])
 by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s632SZ5n014444
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK);
 Thu, 3 Jul 2014 04:28:42 +0200 (CEST) (envelope-from dan@obluda.cz)
Message-ID: <53B4BFD2.2060903@obluda.cz>
Date: Thu, 03 Jul 2014 04:28:34 +0200
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
References: <53B499B1.4090003@delphij.net> <53B4A337.3010907@obluda.cz>
 <CAF6rxgkhXtXCjWGpbcm0UU3Rr57dXJojQJ05Rqe-sQ_Nmyp8KQ@mail.gmail.com>
In-Reply-To: <CAF6rxgkhXtXCjWGpbcm0UU3Rr57dXJojQJ05Rqe-sQ_Nmyp8KQ@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: gecko@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 02:28:48 -0000

On 07/03/14 03:47, Eitan Adler:
> IMHO, it is sane to follow the same policy that Mozilla follows and to
> use their root store by default.

It's policy define very generic requirements only. Almost anyone can apply.

But I'm not going to discuss Mozila's policy here beyond my opinion that 
it's definition of "trusted" is near to meaningless.

>> If I consider a CA to be trustworthy, I will insert it's certificate to
>> trusted store. No one is welcomed to make such decision in behalf of me.
>
> So remove or edit the defaults.

Be sure I'm doing it already with browsers stores. But I wish 
system/program shall be safe by default because not all users are 
experts that can recognize dangerous defaults.

Are you ready to recommend a CA as trustworthy and take responsibility 
for such advice ?

OK, I expressed my personal opinion in full and I'm not wishing to start 
a flame war here ;-)

Cheers

Dan