Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Bryan Drewery wrote:
 > libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.

How very sensible!

> I like the idea of secteam maintaining a ca-root-freebsd.pem even
> better, as long as you are willing to.

Just my $.02, but if the FreeBSD project is to maintain a 
ca-root-freebsd.pem, I think it should have one certificate in it: the 
root FreeBSD Project cert. Beyond that, I'm not willing to vouch for the 
trustworthiness of any CA, and I don't think the Project should either.

Let people install CA bundles from packages, even give admins the choice 
of "the Mozilla bundle" vs "Dr Guru's paranoid bundle" vs whatever, but 
I don't think the Project should be in the business of endorsing any 
particular CA in the base system.

> IMHO always install it, don't depend on MK_OPENSSL. Is the file actually
> specific to OpenSSL? Ports would love to have it be available all the
> time regardless of SSL library choices.

Or we could patch the OpenSSL port to use /usr/local/etc/ssl too?

Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"