Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
On 07/03/14 16:16, Mark Felder:
> if we do not make an effort to provide a default trust store why do we enforce verification by default?
Well, there is a CA recognized trustworthy for the purpose of FreeBSD
components download. It's a CA maintained by FreeBSD's security officer
or other core commiter.
I trust source codes under it's control already, so I can trust it's own
CA that's verify such code transfers.
Of course, such CA is not considered trusted for others purposes. It is
acceptable to use pre-installed CA for the purpose of system
maintenance, but it must not be used by any generic system
utility/library by default.
I mean that maintenance tools like portmaster, pkg or so may "trust"
such default CA, but generic system tools like fetch or ftp as well as
system libraries like libfetch must not considered a CA trusted without
explicit administrators/users decision.
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 14 之 29 篇):