RFC: Proposal: Install a /etc/ssl/cert.pem by default?
John-Mark Gurney
jmg at funkthat.com
Fri Jul 4 02:33:45 UTC 2014
Poul-Henning Kamp wrote this message on Thu, Jul 03, 2014 at 15:30 +0000:
> In message <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw at mail.gmail.com>, Eitan Adler writes:
> >On 3 July 2014 07:57, Jonathan Anderson <jonathan at freebsd.org> wrote:
> >> Just my $.02, but if the FreeBSD project is to maintain a
> >> ca-root-freebsd.pem, I think it should have one certificate in it: the root
> >> FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
> >> trustworthiness of any CA, and I don't think the Project should either.
>
> I think this makes a lot of sense: FreeBSD is not in the trust-business
> and have no benefit from trying to enter it.
Using a CA bundle for downloads is VERY different than pushing banking
data across it... Yes, they are used for the same thing, but any CA
cert is more trusted than using --no-verify-peer which is more trusted
than using http...
So, of course if we install a CA bundle, this does mean someone who
uses lynx or other text based browser might now not get warnings
about untrusted banking sites, but again, the CA bundle is primarily
to increase the usability/reliability of fetch, not protecting
banking sites...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list