Date: Sat, 02 Apr 2011 09:44:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <4D96E20A.8050409@infracaninophile.co.uk> In-Reply-To: <20110401233009.GA87214@guilt.hydra> References: <20110401153300.GA85392@guilt.hydra> <AANLkTi=fqSAMiGtGQO1%2Bt1QbhNY1m_S%2Bx294WX3zHpOK@mail.gmail.com> <4D9639B0.1070302@FreeBSD.org> <AANLkTi=17e7qE8yAACKiYSvpvsUZhDJu4e=mmM%2BhHwr8@mail.gmail.com> <4D963C23.4080100@FreeBSD.org> <AANLkTi=BrOUJsbJxdpg3-njsj-Msug-cnjH1ycLFrdPx@mail.gmail.com> <20110401212648.GK86409@numachi.com> <AANLkTikMSE9sx1StHQ4WRN7hq3hmPG3qetLRJkn8SCr9@mail.gmail.com> <4D9654BC.6040808@supsi.ch> <20110401225033.GL86409@numachi.com> <20110401233009.GA87214@guilt.hydra>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig48C7FAEDD4E1D3A867685A0B
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 02/04/2011 00:30, Chad Perrin wrote:
> I don't think that either of the two options currently under discussion=
> (quietly provide a "trusted" CA list or quietly failing to provide one)=
> is optimal. In the best-case scenario, I guess there would be some
> self-evident system for letting the user choose what to use, if anythin=
g,
> giving a very brief, glancing explanation of the meaning of trust in th=
is
> circumstance. Failing that -- given the options currently available to=
> us without writing more software to do it differently in a way that's
> compatible with how we manage our OSes -- I don't much care whether a
> list of "trusted" CAs is included or not. The important thing here is
> knowledge, and both approaches under discussion fail to impart any
> knowledge upon the user, so it's six of one and half a dozen of the
> other.
>=20
> I'm open to being convinced it really matters, though, if someone has a=
n
> argument more compelling than Istvan's.
>=20
> (This ignores the notion that there are simply better ways to validate
> certs than via CA trust, which is a somewhat separate issue.)
There's a point here that no-one has explored.
Yes, FireFox, Chrome, IE all come with a pre-configured list of trusted
CAs. That is the list of CAs that those vendors think their users
should trust /to validate websites/. This is a solution (maybe not a
particularly satisfying one) for the problem of establishing trust
between a site and a potentially very large audience of subscribers
without having to have some sort of individual verification procedure
between each user and the site: something which is clearly impractical.
What are the applications[*] that a central CA store provided by the
openssl libraries are supposed to provide validation for? Well, it
could be anything that uses SSL/TLS. Why should we assume that it is
appropriate to trust the same set of CAs as are used to validate
websites? Much of the time, that is exactly what you don't want to do
-- frequently you only want to trust a small private group, where you
know all the other parties already. In this case, having system updates
gratuitously install some other set of CA certs is a gross security
violation.
FreeBSD doesn't assume anything much about the way anyone is going to
use it. This comes as a bit of a shock to many users of other OSes, who
are used to something much more pre-configured to specific use cases.
This is a gap that PC-BSD fills. Personally, I'd be quite happy
describing PC-BSD as a "distro" of FreeBSD aimed at desktop users,
although I don't know what the PC-BSD folks would think of that.
Cheers
Matthew
[*] In fact, most applications that use SSL/TLS will have their own
facilities for keeping a chain of trusted CAs outside /etc/ssl.
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig48C7FAEDD4E1D3A867685A0B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2W4hIACgkQ8Mjk52CukIxeywCfaTAtdBiJoH5c3iyG2PSuE+h6
UAoAn2yf6D7Ooarb2F/vHDFc8njlPwdp
=lAin
-----END PGP SIGNATURE-----
--------------enig48C7FAEDD4E1D3A867685A0B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D96E20A.8050409>