From owner-freebsd-security@FreeBSD.ORG Sat Apr 2 07:37:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3CA9106566C for ; Sat, 2 Apr 2011 07:37:48 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id AC2A98FC08 for ; Sat, 2 Apr 2011 07:37:48 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 8F142594009 for ; Sat, 2 Apr 2011 00:37:38 -0700 (PDT) Received: from w500.local (w500.miguel.ramos.name [IPv6:2001:b18:4071:0:216:eaff:fec1:77da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA for ; Sat, 2 Apr 2011 00:37:38 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p327beGb006298 for ; Sat, 2 Apr 2011 08:37:40 +0100 Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p327baDZ006296 for freebsd-security@freebsd.org; Sat, 2 Apr 2011 08:37:36 +0100 X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: freebsd-security@freebsd.org In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Sat, 02 Apr 2011 08:37:36 +0100 Message-ID: <1301729856.5812.12.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 6bbe.4d96d242.26cc7.0 Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2011 07:37:48 -0000 Sex, 2011-04-01 =C3=A0s 15:33 +0100, Istv=C3=A1n escreveu: > FreeBSD ships OpenSSL but it is broken because there is no CA. Right, it = is > like shipping a car without wheels, I suppose. >=20 > Is there a reason to do this? >=20 > How much effort would be to ship a complete SSL stack, including the root > CAs, just like any other vendor/community does? Yeah, maybe FreeBSD should ship with the same list of root CAs that Internet Explorer does, so we can say FreeBSD is a compatible operating system. This is business, multi-million dollar business. Microsoft decides who to trust on behalf of the consumer, and companies and governments all over the world pay millions of dollars so their sites are "trusted". The price of certificates from VeriSign is justified because everybody trusts them, even though nobody ever thought about it. That's dirty business. And you think FreeBSD should "sugest" trust on these companies and get nothing in return? Or would they contribute a couple of millions to the FreeBSD Foundation? The only root CAs that could be included by default would be those of governments (but which governments do you trust?) and things like CAcert.org. --=20 Miguel Ramos PGP A006A14C