Date: Thu, 3 Jul 2014 08:20:51 -0700 From: Eitan Adler <lists@eitanadler.com> To: Jonathan Anderson <jonathan@freebsd.org> Cc: d@delphij.net, Ben Laurie <benl@freebsd.org>, gecko@freebsd.org, Bryan Drewery <bdrewery@freebsd.org>, freebsd-security@freebsd.org, FreeBSD Ports Management Team <portmgr@freebsd.org>, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org> Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com> In-Reply-To: <53B56F49.7030109@FreeBSD.org> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 July 2014 07:57, Jonathan Anderson <jonathan@freebsd.org> wrote: > Just my $.02, but if the FreeBSD project is to maintain a > ca-root-freebsd.pem, I think it should have one certificate in it: the root > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the > trustworthiness of any CA, and I don't think the Project should either. Perhaps we should remove HTTPS support from libfetch and require the user to install wget or curl if they want to use SSL? Having a *default* certificate bundle (that could be removed / edited, of course) is not necessarily even making a trust claim about a particular cert. [0] IMHO the position where the majority of SSL on the internet is broken by default is not tenable. We support HTTP. We don't support HTTPS. The browsers spend a lot of time on this problem. We don't. I am not asserting that the Mozilla set is perfect. I am asserting that we should have *functional* SSL in the base system, and that using the Mozilla set is a good way to obtain that with a good enough policy. [0] It might be, but doesn't have to be [1] See https://wiki.mozilla.org/CA:How_to_apply and https://groups.google.com/forum/#!forum/mozilla.dev.security.policy -- Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw>