Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Daniel Roethlisberger wrote:
> I share your view that there should be functional HTTPS capability in 
> a base install.
I think we're all agreed on that, my point is that the statement "a base 
install should have a CA bundle by default" does not have to imply 
"every FreeBSD system must accept a the same CAs". A "base install" is 
something that's been customized by the installer: we don't all have the 
same keyboard, we don't all extract a ports tree at install time, so why 
not make CA bundles part of the install-time customization?

Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not 
subtractive: we can make it easy for users to install whatever CA 
bundles they like, but if you put a bad CA cert in the base system, I 
have to manually patch the base system, even in environments where I'd 
rather use binary releases and freebsd-update.

Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"