From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 01:58:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEB5C106564A for ; Tue, 5 Apr 2011 01:58:55 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) by mx1.freebsd.org (Postfix) with ESMTP id 60BA08FC0A for ; Tue, 5 Apr 2011 01:58:55 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.4/8.14.4) with ESMTP id p351wsoG057514; Mon, 4 Apr 2011 21:58:54 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.4/8.14.4/Submit) id p351wsix057511; Mon, 4 Apr 2011 21:58:54 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19866.30558.24345.112771@hergotha.csail.mit.edu> Date: Mon, 4 Apr 2011 21:58:54 -0400 From: Garrett Wollman To: richo In-Reply-To: <20110404230546.GA25778@richh-desktop.boxdice.com.au> References: <1301729856.5812.12.camel@w500.local> <20110404205705.GA52172@server.vk2pj.dyndns.org> <20110404230546.GA25778@richh-desktop.boxdice.com.au> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (hergotha.csail.mit.edu [127.0.0.1]); Mon, 04 Apr 2011 21:58:54 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 05 Apr 2011 02:39:27 +0000 Cc: freebsd-security@freebsd.org Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 01:58:55 -0000 < said: > On 05/04/11 06:57 +1000, Peter Jeremy wrote: >> It has occurred to me that maybe the FreeBSD SO should create a root >> cert and distribute that with FreeBSD. That certificate would at >> least have the same trust level as FreeBSD. >> >> -- >> Peter Jeremy > But what would that CA trust? The certificates he also generates for services like freebsd-update and portsnap. And probably also a certificate for use in email to the security-officer role, so that those benighted people who only have access to S/MIME email can still send him private messages. Ideally it would also be used to sign the CHECKSUMS files on the FTP site, so that the installer could check whether it was talking to an authentic mirror site and ask the user what to do. -GAWollman