Date: Sat, 02 Apr 2011 08:37:36 +0100 From: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> To: freebsd-security@freebsd.org Subject: Re: SSL is broken on FreeBSD Message-ID: <1301729856.5812.12.camel@w500.local> In-Reply-To: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sex, 2011-04-01 =C3=A0s 15:33 +0100, Istv=C3=A1n escreveu: > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it = is > like shipping a car without wheels, I suppose. >=20 > Is there a reason to do this? >=20 > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? Yeah, maybe FreeBSD should ship with the same list of root CAs that Internet Explorer does, so we can say FreeBSD is a compatible operating system. This is business, multi-million dollar business. Microsoft decides who to trust on behalf of the consumer, and companies and governments all over the world pay millions of dollars so their sites are "trusted". The price of certificates from VeriSign is justified because everybody trusts them, even though nobody ever thought about it. That's dirty business. And you think FreeBSD should "sugest" trust on these companies and get nothing in return? Or would they contribute a couple of millions to the FreeBSD Foundation? The only root CAs that could be included by default would be those of governments (but which governments do you trust?) and things like CAcert.org. --=20 Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14C
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1301729856.5812.12.camel>