RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Axel Rau
Axel.Rau at Chaos1.DE
Sat Jul 5 08:43:21 UTC 2014
Am 04.07.2014 um 00:25 schrieb Garrett Wollman <wollman at bimajority.org>:
> <<On Fri, 4 Jul 2014 00:14:48 +0200, Daniel Roethlisberger <daniel at roe.ch> said:
>
>> [1] There is no such thing as a perfect CA bundle (i.e. both
>> secure *and* usable) given how broken the whole CA system is
>> these days.
>
> So is anyone working on DANE support in libfetch and other base-system
> utilities? Let's lead on this rather than just flaming about how CAs
> suck….
+1 DANE is the route to go in the future.
It perfectly matches the use case discussed here.
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the freebsd-security
mailing list