From owner-freebsd-security@FreeBSD.ORG  Mon Apr  4 20:57:10 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 91119106564A
	for <freebsd-security@freebsd.org>;
	Mon,  4 Apr 2011 20:57:10 +0000 (UTC)
	(envelope-from peterjeremy@acm.org)
Received: from mail35.syd.optusnet.com.au (mail35.syd.optusnet.com.au
	[211.29.133.51])
	by mx1.freebsd.org (Postfix) with ESMTP id 22C288FC12
	for <freebsd-security@freebsd.org>;
	Mon,  4 Apr 2011 20:57:09 +0000 (UTC)
Received: from server.vk2pj.dyndns.org
	(c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103])
	by mail35.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	p34Kv6En022080
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 5 Apr 2011 06:57:08 +1000
X-Bogosity: Ham, spamicity=0.000000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by server.vk2pj.dyndns.org (8.14.4/8.14.4) with ESMTP id p34Kv6qE052232;
	Tue, 5 Apr 2011 06:57:06 +1000 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.14.4/8.14.4/Submit) id p34Kv53K052231;
	Tue, 5 Apr 2011 06:57:05 +1000 (EST) (envelope-from peter)
Date: Tue, 5 Apr 2011 06:57:05 +1000
From: Peter Jeremy <peterjeremy@acm.org>
To: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name>
Message-ID: <20110404205705.GA52172@server.vk2pj.dyndns.org>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
	<1301729856.5812.12.camel@w500.local>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp"
Content-Disposition: inline
In-Reply-To: <1301729856.5812.12.camel@w500.local>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-security@freebsd.org
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 20:57:10 -0000


--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos <mbox@miguel.ramos=
=2Ename> wrote:
>The only root CAs that could be included by default would be those of
>governments (but which governments do you trust?) and things like
>CAcert.org.

Actually, there was a certificate port that included CAcert.org but
the port was dropped for various reasons.  And Mozilla doesn't
currently trust CAcert.org so why should FreeBSD?  (Note that Mozilla
has defined an audit process to verify CAs and CAcert.org is slowly
working towards compliance).

It has occurred to me that maybe the FreeBSD SO should create a root
cert and distribute that with FreeBSD.  That certificate would at
least have the same trust level as FreeBSD.

--=20
Peter Jeremy

--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)

iEYEARECAAYFAk2aMKEACgkQ/opHv/APuIfRFgCglW0Sh1pCJV+N7oC/oTREIWKY
WgAAn1XM+OGNSG50uB3CWqKfxYHIAAri
=2R1w
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--