Date: Thu, 3 Jul 2014 14:16:25 +0000 From: Mark Felder <feld@freebsd.org> To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me> In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
There is always going to be skepticism about who to trust by default. The CA system is out of control and it worries me as well. However, if we do not make an effort to provide a default trust store why do we enforce verification by default? I feel it would be more consistent to disable verification requiring those who know what they're doing to create their own trust store and pass --verify-peer to fetch manually. I'm on the verge of breaking my keyboard every time I jump onto a random FreeBSD server and try to fetch something over https. --no-verify-peer is now muscle memory; that isn't a good sign. I eagerly await verification through DNSSEC to take off. -2c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5c02fe3098089bf6d58834a66f2eeba7>