Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Poul-Henning Kamp wrote this message on Thu, Jul 03, 2014 at 15:30 +0000:
> In message <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>, Eitan Adler writes:
> >On 3 July 2014 07:57, Jonathan Anderson <jonathan@freebsd.org> wrote:
> >> Just my $.02, but if the FreeBSD project is to maintain a
> >> ca-root-freebsd.pem, I think it should have one certificate in it: the root
> >> FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
> >> trustworthiness of any CA, and I don't think the Project should either.
> 
> I think this makes a lot of sense: FreeBSD is not in the trust-business
> and have no benefit from trying to enter it.

Using a CA bundle for downloads is VERY different than pushing banking
data across it...  Yes, they are used for the same thing, but any CA
cert is more trusted than using --no-verify-peer which is more trusted
than using http...

So, of course if we install a CA bundle, this does mean someone who
uses lynx or other text based browser might now not get warnings
about untrusted banking sites, but again, the CA bundle is primarily
to increase the usability/reliability of fetch, not protecting
banking sites...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"