RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Daniel Roethlisberger
daniel at roe.ch
Thu Jul 3 22:14:57 UTC 2014
Eitan Adler <lists at eitanadler.com> 2014-07-03:
> On 3 July 2014 07:57, Jonathan Anderson <jonathan at freebsd.org> wrote:
> > Just my $.02, but if the FreeBSD project is to maintain a
> > ca-root-freebsd.pem, I think it should have one certificate in it: the root
> > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
> > trustworthiness of any CA, and I don't think the Project should either.
>
> Perhaps we should remove HTTPS support from libfetch and require the
> user to install wget or curl if they want to use SSL? Having a
> *default* certificate bundle (that could be removed / edited, of
> course) is not necessarily even making a trust claim about a
> particular cert. [0] IMHO the position where the majority of SSL on
> the internet is broken by default is not tenable.
>
> We support HTTP. We don't support HTTPS. [...]
I share your view that there should be functional HTTPS
capability in a base install. It boggles my mind how it should
be better to not support HTTPS at all or only unauthenticated
HTTPS, than having to ship a not perfect CA bundle [1] which,
while putting trust in some CAs that don't deserve that trust, is
still magnitudes more secure in any sense of the word. If you
compare the risk between HTTP only or unauthenticated HTTPS,
versus HTTPS with a browser's CA bundle, HTTPS with a CA bundle
wins whichever way you look at it.
I do agree that FreeBSD should not start maintaining its own CA
bundle; but personally I don't think it matters whether we use
Mozilla's, Google's or even Microsoft's CA bundle, as long as
there is one included in a base install and HTTPS is functional
by default.
[1] There is no such thing as a perfect CA bundle (i.e. both
secure *and* usable) given how broken the whole CA system is
these days.
--
Daniel Roethlisberger
http://daniel.roe.ch/
More information about the freebsd-security
mailing list