Re: ca_root_nss

From: Kyle Evans <>
Date: Tue, 08 Feb 2022 20:24:00 UTC
On Tue, Feb 8, 2022 at 2:05 PM Dan Mahoney <> wrote:
> All,
> Now that FreeBSD seems to be handling root ssl certs internally, will the ca_root_nss port/package go away at some point?  (Or rather, stop being a dependency of other packages?  I.e. if you want to trust ca_root_nss you can install it, but the OS baseline is what things like "curl" default to trusting.

My hope is that we'll eventually transform ca_root_nss into a package
that does effectively what the current base infrastructure does, but
we can use it as an 'update' mechanism for the trust store. Ideally,
long-term, nothing will depend on ca_root_nss and it's entirely a leaf
port that users may install if they need something in newer updates
that didn't qualify for an SA/EN (e.g., new roots added aren't really
a security issue and probably won't be the highest of priority).

I don't have a timeline on this yet, unfortunately; there's still a
number of issues pointed out by Michael Osipov with the new model that
need to be fixed before we can redesign ca_root_nss. I'm still hoping
that I can find someone else to help me out here, because my time is
pretty over-committed as it is.


Kyle Evans