Date: Fri, 22 Jan 2016 13:28:49 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: kpneal@pobox.com Cc: mfv@bway.net, Anton Sayetsky <vsasjason@gmail.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer Message-ID: <56A22E91.5030606@FreeBSD.org> In-Reply-To: <20160122131135.GA12085@neutralgood.org> References: <CAPi0psv=XoZ4Zd_J4g-dLLOTtD9FCCbdiTn7AaA6BX4QwS4-og@mail.gmail.com> <CAPi0psuP96f--dnRKpWZaDtsKX-1N=n%2B4hJ_yhwnB19-iOHaKg@mail.gmail.com> <569F4344.5020907@FreeBSD.org> <20160120115808.6133c482@gecko4> <569FC320.1080906@freebsd.org> <CAA2O=b-2hdGPWCOXX%2BHhZx=oVzM5dQSmTsGJ25AUK0hEhGNzLQ@mail.gmail.com> <20160120181129.08eedbbc@gecko4> <56A08FC1.1080701@FreeBSD.org> <20160122131135.GA12085@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/01/22 13:11, kpneal@pobox.com wrote: > On Thu, Jan 21, 2016 at 07:58:57AM +0000, Matthew Seaman wrote: >> On 20/01/2016 23:11, mfv wrote: >>> I do not know how ca_root_nss works but will save that for another da= y. >>> Right now, it just works, without any intervention on my part. Kudos= >>> to the developers. >> >> ca_root_nss is just a list of Certification Authority certificates, >> which OpenSSL will trust by default. It's derived from the list of >> certificates that is built into Firefox for the same purpose. >> >> 'Trust' in this sense means that you're trusting the CA to verify that= >> the identity they've signed a certificate for is legitimately the >> property of the people requesting it. Various CAs have been expelled >> from that list over time, due to incompetence or because they were fou= nd >> to be the tools of a repressive regime, so it's important to keep >> ca-root_nss up to date. >=20 > Say, won't DNSSEC+DANE eliminate the need for a CA?=20 >=20 > Or, at the very least, it will allow for certificates to be designated = as > ONLY coming from a specific CA. Yes indeed. DNSSEC+DANE is another way of being able to declare to the world that you own a specific SSL key / cert in a cryptographically secure manner. To trust DANE, you essentially have to trust that DNSSEC is secure -- which is quite a reasonable thing to do -- and assume that the people in control of the DNS for example.com are at least allied with the people that manage the site at https://foo.example.com/ (this will usually be the case, but it's possibly the least reliable step in this concept.) Whether DANE will make CAs obsolete remains to be seen. It's pretty useful for SMTP over TLS at the moment, but most other applications need client-side support added. Cheers, Matthew --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWoi6XXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnDO0P/1HXzMb5jyzm5s04unEMnL5F ralUW5lU4ApfqFhz1spupadqh0LFQ2Nri+g9tmPk8SgFS4riyUIt43uOLVGbezAJ +a06HX/mIUNGbHns2To6XynqxZvD4DOvj0XZRCtzRMV49RwEZWMs91v2qrwzotAC aLV+BAQo/xT6JxY12xm+SlaY2IrzKe0jUCCI06v3jKRkrMfwxjLAXiHYfNXBrdVx SS8gIWkpDh9EylSjJBp5N74KGj/BgrJF3MYKbgCbpREKtJRxPorAM3UzVSPK9FKJ APL8mCpnrFT09rLMWhazuj1If8FCCCbzG+Nk67vywB2wn5DtQIvWhEuKUlZuIF+K z5JW2HgYF6OofI8mqS7Q80BWPgWr13fMXmsl34CZFlCF0GSoocEyVRXFLUn/4hWH Bvyb/SibBb4bH8jNvg9wUi5aN0EcO4gdkkN3L1XQtCs2KyRdsg2xOOpNpyr1XaqX MtYYLVjHd+1jiR6rXP4vxXkaeZQ/8/qGi0PnrZveX8p3pU3QawBqba+la7AlA/AA A6X944eed2HSdVRJqEIBS/kFN7PTkXZL64GMoWY/ZRFwkC8ugCJpGj2NqBAV4DgB +aydfY2D6nN4+QUB4GazdtDTD8eX31za/1Z6BOY+arCVmnCYS3XHB0+y27/DHFXH iswBrndbp0P4udX6oeoJ =gAvT -----END PGP SIGNATURE----- --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A22E91.5030606>