From owner-freebsd-security@FreeBSD.ORG Sat Jul 5 09:22:58 2014 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EF027430 for ; Sat, 5 Jul 2014 09:22:58 +0000 (UTC) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B8CCD26B2 for ; Sat, 5 Jul 2014 09:22:57 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id AEFEE20F96; Sat, 5 Jul 2014 05:22:49 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Sat, 05 Jul 2014 05:22:49 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.fm; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=DhTH85BHqtYD1M8UdO7ellvKrow=; b=N1GTRUwO+okOeWO2wQ6yDbHB0jXe 6+1PDqgPDHfmDRKQNwKXq56sKdYIBk7EIyG3volKLkvpIZOibGW8sdhILYO0hsdD uOnecBu45REhdtV1Hlt9syfCYZz2P1G3g99wAAOtizegcYtRxE8Xq2vWg9X/pFcO 39IXdoD9AJiNMVk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:from:to:cc:subject:message-id :references:mime-version:content-type:content-transfer-encoding :in-reply-to; s=smtpout; bh=DhTH85BHqtYD1M8UdO7ellvKrow=; b=WmN0 WBR8DbjtrT/EuC0JlQFOtEtSyXvm7dYQxqbVROaexDT4g9GLhJCWEOSbiA7gMqxP 9bvhb4TpbG6TugCtdSDiu1FpH2npcvfdfBXtQZM8sFJSHWZfMDjwW39wvHhFAC83 aDQ67vJhX7mHGn1DAGzjOMnx/Q1/6XxD5tLhcBw= X-Sasl-enc: 4jjWuCYGIcANF92IVfG7tGVqSCi6vaBIq8aVab/MMEE+ 1404552169 Received: from kropotkin.aux.io (unknown [223.252.30.161]) by mail.messagingengine.com (Postfix) with ESMTPA id 92F37C00003; Sat, 5 Jul 2014 05:22:48 -0400 (EDT) Date: Sat, 5 Jul 2014 19:22:37 +1000 From: Alastair Hogge To: Axel Rau Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140705092237.GA94704@kropotkin.aux.io> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <20140703221448.GA99094@calvin.ustdmz.roe.ch> <21429.55379.293697.133423@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2014 09:22:59 -0000 On 2014-07-05 Sat 10:43:16 +0200, Axel Rau wrote: > > Am 04.07.2014 um 00:25 schrieb Garrett Wollman : > > > < said: > > > >> [1] There is no such thing as a perfect CA bundle (i.e. both > >> secure *and* usable) given how broken the whole CA system is > >> these days. > > > > So is anyone working on DANE support in libfetch and other base-system > > utilities? Let's lead on this rather than just flaming about how CAs > > suckā€¦. > +1 DANE is the route to go in the future. > It perfectly matches the use case discussed here. +1