Downloading 10.2-RELEASE-p10 source without prayer
matthew at FreeBSD.org
Fri Jan 22 13:29:12 UTC 2016
On 2016/01/22 13:11, kpneal at pobox.com wrote:
> On Thu, Jan 21, 2016 at 07:58:57AM +0000, Matthew Seaman wrote:
>> On 20/01/2016 23:11, mfv wrote:
>>> I do not know how ca_root_nss works but will save that for another day.
>>> Right now, it just works, without any intervention on my part. Kudos
>>> to the developers.
>> ca_root_nss is just a list of Certification Authority certificates,
>> which OpenSSL will trust by default. It's derived from the list of
>> certificates that is built into Firefox for the same purpose.
>> 'Trust' in this sense means that you're trusting the CA to verify that
>> the identity they've signed a certificate for is legitimately the
>> property of the people requesting it. Various CAs have been expelled
>> from that list over time, due to incompetence or because they were found
>> to be the tools of a repressive regime, so it's important to keep
>> ca-root_nss up to date.
> Say, won't DNSSEC+DANE eliminate the need for a CA?
> Or, at the very least, it will allow for certificates to be designated as
> ONLY coming from a specific CA.
Yes indeed. DNSSEC+DANE is another way of being able to declare to the
world that you own a specific SSL key / cert in a cryptographically
secure manner. To trust DANE, you essentially have to trust that DNSSEC
is secure -- which is quite a reasonable thing to do -- and assume that
the people in control of the DNS for example.com are at least allied
with the people that manage the site at https://foo.example.com/ (this
will usually be the case, but it's possibly the least reliable step in
Whether DANE will make CAs obsolete remains to be seen. It's pretty
useful for SMTP over TLS at the moment, but most other applications need
client-side support added.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 972 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions