From owner-freebsd-security@FreeBSD.ORG Thu Jul 3 14:16:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 94072FE1 for ; Thu, 3 Jul 2014 14:16:35 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 275A72D90 for ; Thu, 3 Jul 2014 14:16:34 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id c0f8e22d; for ; Thu, 3 Jul 2014 09:16:26 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=mime-version :date:content-type:content-transfer-encoding:message-id:from :subject:to:in-reply-to:references:sender; s=blargle2; bh=gUKdmZ QrsJ9RIpfEsMVkmxRNYAY=; b=lUzme9CH920XxLYQQKsg+3/ELQ4dzJv6LruFO+ 8BjSlva7VWSJazDHwlhD7sAid9RMCyG02sX2fjkYn7YjIedY54VnUxDQ06MvMtw1 S479rKpAYzXHOowD1o1TzSe7iJgxRhWcXEgQYlOIFrAjLsqORHQEFMUayjNdAoU+ tGY34Qd0eujiubCzHr+3b4rI7crQaNa10ymf457FtQsXWlTQhclpq4Qj3TOX/INP sa9tkW6YjOK21VyReY+CAeiC/xBU9su4yqefI2pHDpwSOTkuP/P9On0+mX2qihkI I86Mccdwm0G5UBSjQu5VraFxh7jO0Un+AN/0e3p9ZLewv6TQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=mime-version:date :content-type:content-transfer-encoding:message-id:from:subject :to:in-reply-to:references:sender; q=dns; s=blargle2; b=yn8ZG+hu oit/XrXHG3ztxd905BCZeupfDseL8xhsXpr7Wm96wNwTLlRhPFAbx4u5V0FSXIhp xp7HmufxWekcjjuKnLli0K3etiXS9JeKtyvWGV6EHOTbDokmhAGd213S+TKdw/ri DGAAg15oBgkfROllgP57jtUfJQNVCuyJ/WdN0+4Ny9+s1nWvmh1zOiVcX/T+xitG jWpwHoMdF3hdLpWzY6rW9lZLTJnOLopKtWutAotzDMjSxxnLnOPVUhK3iPGV6qzA x1KsscEOx1AA6VsOka2k9q5RBDMxXNkqzaAOql3PoOZSDvH4Cx4QCr+eJH3CfqRG jE+xm+N0LHG0rw== Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 983cadf0; for ; Thu, 3 Jul 2014 09:16:26 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1404396985-4187-4185/5/12; Thu, 3 Jul 2014 14:16:25 +0000 Mime-Version: 1.0 Date: Thu, 3 Jul 2014 14:16:25 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me> X-Mailer: RainLoop/1.6.7.132 From: Mark Felder Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? To: freebsd-security@freebsd.org In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net> Sender: feld@feld.me X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 14:16:35 -0000 There is always going to be skepticism about who to trust by default. = The CA system is out of control and it worries me as well. However, if = we do not make an effort to provide a default trust store why do we = enforce verification by default? I feel it would be more consistent to = disable verification requiring those who know what they're doing to = create their own trust store and pass --verify-peer to fetch manually. = I'm on the verge of breaking my keyboard every time I jump onto a random = FreeBSD server and try to fetch something over https. --no-verify-peer is now muscle memory; that isn't a good sign. I eagerly = await verification through DNSSEC to take off. -2c