RFC: Proposal: Install a /etc/ssl/cert.pem by default?
John-Mark Gurney
jmg at funkthat.com
Fri Jul 4 02:44:56 UTC 2014
Dan Lukes wrote this message on Thu, Jul 03, 2014 at 02:26 +0200:
> On 07/03/14 01:45, Xin Li:
> >1. Import a set of trusted root certificates
>
> Question is imminent ...
>
> Trusted by whom ?
>
> Trust is matter of personal decision, local law and law that apply to
> particular CA.
>
> If I consider a CA to be trustworthy, I will insert it's certificate to
> trusted store. No one is welcomed to make such decision in behalf of me.
As others have said, you can customize FreeBSD how you want.. There
is no, we will uninstall FreeBSD if you uninstall (or set WITHOUT_xxx)
on your FreeBSD system...
Dan Lukes wrote this message on Thu, Jul 03, 2014 at 04:28 +0200:
> On 07/03/14 03:47, Eitan Adler:
> >IMHO, it is sane to follow the same policy that Mozilla follows and to
> >use their root store by default.
>
> It's policy define very generic requirements only. Almost anyone can apply.
I agree that the FreeBSD project needs a policy on how CA's are selected,
just like other countries may not trust USA's CA's, people should always
be more aware of this, but sadly, many do not...
This is partly why things like TACK and other cert mechanisms are being
investigated... When I first heard of how certs were issued almost 20
years ago, I was like, are they stupid? Sadly, we realized too late
how stupid it was...
> But I'm not going to discuss Mozila's policy here beyond my opinion that
> it's definition of "trusted" is near to meaningless.
>
> >>If I consider a CA to be trustworthy, I will insert it's certificate to
> >>trusted store. No one is welcomed to make such decision in behalf of me.
> >
> >So remove or edit the defaults.
>
> Be sure I'm doing it already with browsers stores. But I wish
> system/program shall be safe by default because not all users are
> experts that can recognize dangerous defaults.
Per my email to phk, certs can/should have different trust metrics
associated with them...
I always laugh when I see people post md5/sha1 sums to their http
website but not sign them... What's the point? If someone can MITM
or hack the server, you can replace the md5/sha1 sum too...
There needs to be a proper train of trust if you go that far, and I
doubt most people are willing to do that...
> Are you ready to recommend a CA as trustworthy and take responsibility
> for such advice ?
>
> OK, I expressed my personal opinion in full and I'm not wishing to start
> a flame war here ;-)
It's good to know the conserns of our users.. :) Even if we may think
some of them are crazy, though I've been happy to find out that I wasn't
paranoid over the last few years, they really were listening.. :)
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list