From owner-freebsd-security@FreeBSD.ORG Fri Jul 4 01:03:15 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 59F03A9F for ; Fri, 4 Jul 2014 01:03:15 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4556D294C for ; Fri, 4 Jul 2014 01:03:15 +0000 (UTC) Received: from joe-2.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s6413Eh5048266 for ; Fri, 4 Jul 2014 01:03:14 GMT (envelope-from jonathan@FreeBSD.org) Message-ID: <53B5FD51.4050309@FreeBSD.org> Date: Thu, 03 Jul 2014 22:33:13 -0230 From: Jonathan Anderson User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <20140703221448.GA99094@calvin.ustdmz.roe.ch> In-Reply-To: <20140703221448.GA99094@calvin.ustdmz.roe.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2014 01:03:15 -0000 Daniel Roethlisberger wrote: > I share your view that there should be functional HTTPS capability in > a base install. I think we're all agreed on that, my point is that the statement "a base install should have a CA bundle by default" does not have to imply "every FreeBSD system must accept a the same CAs". A "base install" is something that's been customized by the installer: we don't all have the same keyboard, we don't all extract a ports tree at install time, so why not make CA bundles part of the install-time customization? Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not subtractive: we can make it easy for users to install whatever CA bundles they like, but if you put a bad CA cert in the base system, I have to manually patch the base system, even in environments where I'd rather use binary releases and freebsd-update. Jon -- Jonathan Anderson jonathan@FreeBSD.org