RFC: Proposal: Install a /etc/ssl/cert.pem by default?

[Eitan Adler]

On 3 July 2014 07:57, Jonathan Anderson <jonathan at freebsd.org> wrote:
> Just my $.02, but if the FreeBSD project is to maintain a
> ca-root-freebsd.pem, I think it should have one certificate in it: the root
> FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
> trustworthiness of any CA, and I don't think the Project should either.


Perhaps we should remove HTTPS support from libfetch and require the
user to install wget or curl if they want to use SSL?  Having a
*default* certificate bundle (that could be removed / edited, of
course) is not necessarily even making a trust claim about a
particular cert. [0]   IMHO the position where the majority of SSL on
the internet is broken by default is not tenable.

We support HTTP.  We don't support HTTPS.  The browsers spend a lot of
time on this problem. We don't.  I am not asserting that the Mozilla
set is perfect.  I am asserting that we should have *functional* SSL
in the base system, and that using the Mozilla set is a good way to
obtain that with a good enough policy.


[0] It might be, but doesn't have to be
[1] See https://wiki.mozilla.org/CA:How_to_apply and
https://groups.google.com/forum/#!forum/mozilla.dev.security.policy
-- 
Eitan Adler