From owner-freebsd-security@FreeBSD.ORG  Fri Jul  4 01:03:15 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 59F03A9F
 for <freebsd-security@freebsd.org>; Fri,  4 Jul 2014 01:03:15 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4556D294C
 for <freebsd-security@freebsd.org>; Fri,  4 Jul 2014 01:03:15 +0000 (UTC)
Received: from joe-2.local (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s6413Eh5048266
 for <freebsd-security@freebsd.org>; Fri, 4 Jul 2014 01:03:14 GMT
 (envelope-from jonathan@FreeBSD.org)
Message-ID: <53B5FD51.4050309@FreeBSD.org>
Date: Thu, 03 Jul 2014 22:33:13 -0230
From: Jonathan Anderson <jonathan@FreeBSD.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org>
 <53B56F49.7030109@FreeBSD.org>
 <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
 <20140703221448.GA99094@calvin.ustdmz.roe.ch>
In-Reply-To: <20140703221448.GA99094@calvin.ustdmz.roe.ch>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 01:03:15 -0000

Daniel Roethlisberger wrote:
> I share your view that there should be functional HTTPS capability in 
> a base install.
I think we're all agreed on that, my point is that the statement "a base 
install should have a CA bundle by default" does not have to imply 
"every FreeBSD system must accept a the same CAs". A "base install" is 
something that's been customized by the installer: we don't all have the 
same keyboard, we don't all extract a ports tree at install time, so why 
not make CA bundles part of the install-time customization?

Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not 
subtractive: we can make it easy for users to install whatever CA 
bundles they like, but if you put a bad CA cert in the base system, I 
have to manually patch the base system, even in environments where I'd 
rather use binary releases and freebsd-update.


Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org