RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Jonathan Anderson
jonathan at FreeBSD.org
Fri Jul 4 01:03:15 UTC 2014
Daniel Roethlisberger wrote:
> I share your view that there should be functional HTTPS capability in
> a base install.
I think we're all agreed on that, my point is that the statement "a base
install should have a CA bundle by default" does not have to imply
"every FreeBSD system must accept a the same CAs". A "base install" is
something that's been customized by the installer: we don't all have the
same keyboard, we don't all extract a ports tree at install time, so why
not make CA bundles part of the install-time customization?
Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not
subtractive: we can make it easy for users to install whatever CA
bundles they like, but if you put a bad CA cert in the base system, I
have to manually patch the base system, even in environments where I'd
rather use binary releases and freebsd-update.
Jon
--
Jonathan Anderson
jonathan at FreeBSD.org
More information about the freebsd-security
mailing list