Date: Mon, 4 Sep 2000 13:38:23 -0700 (PDT) From: Nick Sayer <nsayer@quack.kfu.com> To: freebsd-current@freebsd.org Subject: Include OpenSSL root CA cert list? Message-ID: <200009042038.NAA20320@icarus.kfu.com>
next in thread | raw e-mail | index | archive | help
If something like this already exists, then my searches must have missed it. In order to improve the usefulness of the openssl installation, I would like to suggest that a collection of CA root certs be added to the base installation and perhaps even referenced by the conf file. Included with the mod-ssl package there is a file called ca-bundle.crt, which purports to be the certificate list that comes with Netscape Navigator/Communicator. I propose to include this file under /usr/share, perhaps as /usr/share/openssl/ca-bundle.crt. For those unfamiliar, SSL security works by starting with a list of trusted certificates. This list serves a similar purpose as the DNS root cache -- it serves as a starting place for establishing the trustworthiness of SSL certificates. The roots are trusted, and a path of authority can be traced down from the root certs through intermediate certificates finally to a cert that might be used for either an SSL server or S/MIME mail signing or code signing or whatever. By incorporating this file, certificate verification becomes possible merely with a default installation of FreeBSD. And there's no reason that the list should stay static, although I would suggest it would be up to us to come up with some sort of criteria for determining the level of security required for an arbitrary CA to be deemed "trustworthy". What does everyone think? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009042038.NAA20320>