Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Jul 2014 00:04:45 -0700
From:      John-Mark Gurney <jmg@funkthat.com>
To:        Mark Felder <feld@freebsd.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Message-ID:  <20140704070445.GY45513@funkthat.com>
In-Reply-To: <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me>
References:  <53B499B1.4090003@delphij.net> <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me>

next in thread | previous in thread | raw e-mail | index | archive | help
Mark Felder wrote this message on Thu, Jul 03, 2014 at 14:16 +0000:
> There is always going to be skepticism about who to trust by default. The CA system is out of control and it worries me as well. However, if we do not make an effort to provide a default trust store why do we enforce verification by default? I feel it would be more consistent to disable verification requiring those who know what they're doing to create their own trust store and pass --verify-peer to fetch manually. I'm on the verge of breaking my keyboard every time I jump onto a random FreeBSD server and try to fetch something over https.
> 
> --no-verify-peer is now muscle memory; that isn't a good sign. I eagerly await verification through DNSSEC to take off.

Maybe an interesting compromise is if there is no symlink/root of
trust cert(s) is to issue a warning, but go ahead anyways as if
--no-verify-peer is specified?  That is assuming we don't install one
by default...

I normally use wget which has the same issue, so I usually spell it
--no-check-certificate...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140704070445.GY45513>