From nobody Fri Jan 20 08:33:20 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nyt763lMyz2stv1; Fri, 20 Jan 2023 08:33:22 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nyt756NH2z4SJx; Fri, 20 Jan 2023 08:33:21 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=IESmIa+4; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e32 as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe32.google.com with SMTP id d66so4896242vsd.9; Fri, 20 Jan 2023 00:33:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zZkyTbIgEwNWmUF2WMacFs0gqDCr9NAYjVs5z3YpjLY=; b=IESmIa+4l0HffW5K/SldMQyVh1/KLr80qgSiRKP1RpGnH2AogtT3UrQ9cDVCGnUfg/ 2EzbtjxadyLQA93qTr2NeWPCdl282j9g/77fKEsL4Sv/Q25Eu+D/uUHxi63EKTHLMb2i DqhA7NXSd/r4ur6wXf3ofTLRPt2svTbymKB+w6m53L8hFQxsi3xGYuCPSE8jHd9Ws1P+ /+GxaspU7gvrUggU2cq9siNJNv5N07X1BJWJ3YFsX+eRahDVfuyqsK+d6nm1aqrqYzS1 Mnq2xYj5FNTUuSdxF9rJ21Ex4ehXtmB5yYcGNcai3Qr5Hq5lilMgcbiimJQ54vzndpeP EQ4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zZkyTbIgEwNWmUF2WMacFs0gqDCr9NAYjVs5z3YpjLY=; b=w6AuLT/LPj/k9K5O47NmmcKZF9PtvTm9EfHJhrgWN144+OLuvTAhQjhHEnYhKTx7+V ei2cY51d4QquKS3cXgIaMEDuEEVSpwuko5GDOUhyZ2oKQOYERIdqkzGdGgJVRWO6r4DQ JBpzGus/Q4yXn7Oo15Y1WhucVtpNF45K5DWvDA+X5qGWhfMLmQJDjFzc3raven2aNtgf cuRMaynsPuS3stLdhQPNNYlamfEdEq8u8w0GwCiaH1Ms0QPQijX66tw9woOFT9+Hj9+P vepT9Bklwn8H69Ik21sF3UytQxicyE6HLvy4ZRkCIk8i0iyMjtSGn+cvdc11B33swSjP Wmxg== X-Gm-Message-State: AFqh2koil2oDgdLDzWmmmV+bp1OFdUVo2i56WFafgXPmEA0fkyJLHPzx JM/09jQ+msuvkbt5dgsPvI9m4z4XeN9GenHfv+lG634Kwrqc3kkh X-Google-Smtp-Source: AMrXdXvTiA2oiGl2WqU1L+z5LCtJ/R+jQsKsUksMEGIrdlOwA9wh93r5BpvVEARwEi+WTRVV3k+Frm+L+UO/gYY7paw= X-Received: by 2002:a67:ec91:0:b0:3d0:a896:51da with SMTP id h17-20020a67ec91000000b003d0a89651damr1822514vsp.44.1674203601094; Fri, 20 Jan 2023 00:33:21 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Fri, 20 Jan 2023 00:33:20 -0800 (PST) In-Reply-To: <7F3E8043-D985-4BC4-97B9-1FF7BA2E54C1@freebsd.org> References: <20230120070931.4ef522dfa48b35ddac0c50ac@dec.sakura.ne.jp> <7F3E8043-D985-4BC4-97B9-1FF7BA2E54C1@freebsd.org> From: grarpamp Date: Fri, 20 Jan 2023 03:33:20 -0500 Message-ID: Subject: Re: Can security/ca_root_nss be retired? To: ports@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-2.58 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.995]; NEURAL_HAM_SHORT(-0.59)[-0.589]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[ports@freebsd.org,freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e32:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCPT_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROMTLD(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4Nyt756NH2z4SJx X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N > /usr/share/certs Was never necessary. Should not have been added. >> trust store > list of trusted CAs People are fools if they think they can "trust" any of those. Including a live cert store in base does little but endorse exposure of users to such external risks. Users before at least had to read and actively choose to enable footshooting, now apparently the teaching is that blindly placing trust upon untrustable external third parties is the right thing to do. There are lots of MITM enabling random adversaries in that "trust" store, and its issues have been in the news multiple times already. However users choose to disable and manage their own stores, some of their models for doing that obviously might include making use of data elements held within a current port of the upstream stores. Other users have other projects and apps that need it for other reasons as well. So retiring ca_root_nss would be anti-helpful for them, and thus retiring it is definitely not suggested. Nor do other unix retire this either. -- https://odysee.com/@Anarchast:2 https://duckduckgo.com/?ia=videos&iax=videos&q=voluntaryism https://duckduckgo.com/?ia=videos&iax=videos&q=cryptocurrency https://bitchute.com/ https://rumble.com/