From owner-freebsd-security@FreeBSD.ORG  Sat Jul  5 08:43:21 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: FreeBSD-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C60CDC3E
 for <FreeBSD-security@FreeBSD.org>; Sat,  5 Jul 2014 08:43:21 +0000 (UTC)
Received: from mailout4.lrau.net (mailout4.lrau.net [IPv6:2a02:d40:2:2::73])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 841A323FA
 for <FreeBSD-security@FreeBSD.org>; Sat,  5 Jul 2014 08:43:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de;
 s=email; 
 h=To:References:Message-Id:Content-Transfer-Encoding:Date:In-Reply-To:From:Subject:Mime-Version:Content-Type;
 bh=6Thu1ui64ScVaFQPlLEUi8nH+ZBboLGYcBjtmMiQrQY=; 
 b=dTK9ohED9VYQw2Iat+1KcZra8AnU3eb8y/pT3i+m6NPdnrOVtXyGWpKVkFB9GlFP92XIQEyuFnElFpfnegf7zf9sDsGEBPqul58shuovLZAiqPCnQVoVtl+7S+Ozu6jjA3rCXlVefRbLs618Mq44HIXISedg6tlGXGJLasAW4fc=;
Received: from [91.216.35.74] (helo=imap.lrau.net)
 by mailout4.lrau.net with esmtp (Exim 4.82)
 (envelope-from <AXEL.RAU@Chaos1.DE>) id 1X3LZ0-000HTc-DP
 for FreeBSD-security@FreeBSD.org; Sat, 05 Jul 2014 08:43:18 +0000
Received: from AXEL.RAU@Chaos1.DE by imap.lrau.net (Archiveopteryx
 3.2.0) with esmtpsa id 1404549797-27428-27426/7/779; Sat, 5 Jul 2014
 08:43:17 +0000
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
From: Axel Rau <Axel.Rau@Chaos1.DE>
In-Reply-To: <21429.55379.293697.133423@hergotha.csail.mit.edu>
Date: Sat, 5 Jul 2014 10:43:16 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A640A06B-4A40-4086-A5C0-3F32FF62BFD0@Chaos1.DE>
References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org>
 <53B56F49.7030109@FreeBSD.org>
 <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
 <20140703221448.GA99094@calvin.ustdmz.roe.ch>
 <21429.55379.293697.133423@hergotha.csail.mit.edu>
To: FreeBSD-security@FreeBSD.org
X-Mailer: Apple Mail (2.1878.6)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jul 2014 08:43:21 -0000


Am 04.07.2014 um 00:25 schrieb Garrett Wollman <wollman@bimajority.org>:

> <<On Fri, 4 Jul 2014 00:14:48 +0200, Daniel Roethlisberger <daniel@roe.=
ch> said:
>=20
>> [1] There is no such thing as a perfect CA bundle (i.e. both
>>    secure *and* usable) given how broken the whole CA system is
>>    these days.
>=20
> So is anyone working on DANE support in libfetch and other base-system
> utilities?  Let's lead on this rather than just flaming about how CAs
> suck=E2=80=A6.
+1 DANE is the route to go in the future.
It perfectly matches the use case discussed here.

Axel
=2D--
PGP-Key:29E99DD6  =E2=98=80 +49 151 2300 9283  =E2=98=80 computing @ =
chaos claudius