RFC: Proposal: Install a /etc/ssl/cert.pem by default?

[Mark Felder]

There is always going to be skepticism about who to trust by default. The CA system is out of control and it worries me as well. However, if we do not make an effort to provide a default trust store why do we enforce verification by default? I feel it would be more consistent to disable verification requiring those who know what they're doing to create their own trust store and pass --verify-peer to fetch manually. I'm on the verge of breaking my keyboard every time I jump onto a random FreeBSD server and try to fetch something over https.

--no-verify-peer is now muscle memory; that isn't a good sign. I eagerly await verification through DNSSEC to take off.

-2c