Date: Fri, 20 Jan 2023 11:05:40 +0100 (CET) From: freebsd@oldach.net (Helge Oldach) To: junchoon@dec.sakura.ne.jp (Tomoaki AOKI) Cc: ports@freebsd.org Subject: Re: Can security/ca_root_nss be retired? Message-ID: <202301201005.30KA5emX006163@nuc.oldach.net> In-Reply-To: <20230120184711.2da251b2964eb324e6373ac5@dec.sakura.ne.jp> from Tomoaki AOKI at "20 Jan 2023 18:47:11"
next in thread | previous in thread | raw e-mail | index | archive | help
Tomoaki AOKI wrote on Fri, 20 Jan 2023 10:47:11 +0100 (CET): > IMHO, we would need 3 places. > *For base with lowest priority. > *For ports which can override base certs. > ALL PORTS SHOULD WRITE CERTS ONLY HERE. > *For local admins only, with highest priority. > Nothing else can override certs here. I disagree. That will create a mess that's hard to troubleshoot. Keep in mind that some software might not consider some of the proposed stores by design, or walk through the available stores in a different order deviating from what you expect. Also keep in mind that you need to consider trusted *and* untrusted certs in the given priority and consider that your priorities might disagree on specific certs. All of this can be solved obviously but it's a complex solution to a rather simple case for which base provides a flexible approach already. Kind regards Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202301201005.30KA5emX006163>