SSL is broken on FreeBSD
    Chad Perrin 
    perrin at apotheon.com
       
    Fri Apr  1 23:42:32 UTC 2011
    
    
  
On Fri, Apr 01, 2011 at 06:50:33PM -0400, Brian Reichert wrote:
> 
> That you got this same command to work implies you have a different
> set of CAs than I.
> 
> His point (someone please correct me, if neccessary) is that without
> what he considers a reasonable set of trusted CAs in place, SSL under
> FreeBSD is 'broken'.
> 
> I interpret this thread now to be a debate of terms 'reasonable'
> and 'trusted', and further, who's responsibility is it to populate
> that list of CAs on his machine.
In case anyone cares what I think . . .
I don't think that either of the two options currently under discussion
(quietly provide a "trusted" CA list or quietly failing to provide one)
is optimal.  In the best-case scenario, I guess there would be some
self-evident system for letting the user choose what to use, if anything,
giving a very brief, glancing explanation of the meaning of trust in this
circumstance.  Failing that -- given the options currently available to
us without writing more software to do it differently in a way that's
compatible with how we manage our OSes -- I don't much care whether a
list of "trusted" CAs is included or not.  The important thing here is
knowledge, and both approaches under discussion fail to impart any
knowledge upon the user, so it's six of one and half a dozen of the
other.
I'm open to being convinced it really matters, though, if someone has an
argument more compelling than Istvan's.
(This ignores the notion that there are simply better ways to validate
certs than via CA trust, which is a somewhat separate issue.)
-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110401/4f7e9551/attachment.pgp
    
    
More information about the freebsd-security
mailing list