Date: Thu, 03 Jul 2014 04:28:34 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Cc: gecko@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <53B4BFD2.2060903@obluda.cz> In-Reply-To: <CAF6rxgkhXtXCjWGpbcm0UU3Rr57dXJojQJ05Rqe-sQ_Nmyp8KQ@mail.gmail.com> References: <53B499B1.4090003@delphij.net> <53B4A337.3010907@obluda.cz> <CAF6rxgkhXtXCjWGpbcm0UU3Rr57dXJojQJ05Rqe-sQ_Nmyp8KQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/03/14 03:47, Eitan Adler: > IMHO, it is sane to follow the same policy that Mozilla follows and to > use their root store by default. It's policy define very generic requirements only. Almost anyone can apply. But I'm not going to discuss Mozila's policy here beyond my opinion that it's definition of "trusted" is near to meaningless. >> If I consider a CA to be trustworthy, I will insert it's certificate to >> trusted store. No one is welcomed to make such decision in behalf of me. > > So remove or edit the defaults. Be sure I'm doing it already with browsers stores. But I wish system/program shall be safe by default because not all users are experts that can recognize dangerous defaults. Are you ready to recommend a CA as trustworthy and take responsibility for such advice ? OK, I expressed my personal opinion in full and I'm not wishing to start a flame war here ;-) Cheers Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B4BFD2.2060903>