From owner-freebsd-current Mon Sep 4 13:38:32 2000 Delivered-To: freebsd-current@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 8DB8C37B423 for ; Mon, 4 Sep 2000 13:38:29 -0700 (PDT) Received: from medusa.kfu.com (medusa.kfu.com [205.178.90.222]) by quack.kfu.com (8.9.3/8.9.3) with ESMTP id NAA87701 for ; Mon, 4 Sep 2000 13:38:23 -0700 (PDT) (envelope-from nsayer@medusa.kfu.com) Received: from icarus.kfu.com (ssmail@localhost) by medusa.kfu.com (8.11.0/8.11.0) with ESMTP id e84KcNZ31285 for ; Mon, 4 Sep 2000 13:38:23 -0700 (PDT) (envelope-from nsayer@medusa.kfu.com) From: Nick Sayer X-Authentication-Warning: medusa.kfu.com: ssmail owned process doing -bs Received: by icarus.kfu.com (8.9.3//ident-1.0) id NAA20320; Mon, 4 Sep 2000 13:38:23 -0700 (PDT) Date: Mon, 4 Sep 2000 13:38:23 -0700 (PDT) Message-Id: <200009042038.NAA20320@icarus.kfu.com> To: freebsd-current@freebsd.org Subject: Include OpenSSL root CA cert list? Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If something like this already exists, then my searches must have missed it. In order to improve the usefulness of the openssl installation, I would like to suggest that a collection of CA root certs be added to the base installation and perhaps even referenced by the conf file. Included with the mod-ssl package there is a file called ca-bundle.crt, which purports to be the certificate list that comes with Netscape Navigator/Communicator. I propose to include this file under /usr/share, perhaps as /usr/share/openssl/ca-bundle.crt. For those unfamiliar, SSL security works by starting with a list of trusted certificates. This list serves a similar purpose as the DNS root cache -- it serves as a starting place for establishing the trustworthiness of SSL certificates. The roots are trusted, and a path of authority can be traced down from the root certs through intermediate certificates finally to a cert that might be used for either an SSL server or S/MIME mail signing or code signing or whatever. By incorporating this file, certificate verification becomes possible merely with a default installation of FreeBSD. And there's no reason that the list should stay static, although I would suggest it would be up to us to come up with some sort of criteria for determining the level of security required for an arbitrary CA to be deemed "trustworthy". What does everyone think? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message