From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:01:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 239251065677 for ; Wed, 6 Apr 2011 01:01:33 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::a]) by mx1.freebsd.org (Postfix) with ESMTP id AB8418FC1D for ; Wed, 6 Apr 2011 01:01:32 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from [127.0.0.1] (kgw.obluda.cz [193.179.199.50]) by smtp1.kolej.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id p3611Tng041443; Wed, 6 Apr 2011 03:01:31 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4D9BBB6A.9020200@obluda.cz> Date: Wed, 06 Apr 2011 03:01:30 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110320 SeaMonkey/2.0.13 MIME-Version: 1.0 To: Chuck Swiger References: <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> In-Reply-To: <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 110405-1, 05.04.2011), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2011 01:01:33 -0000 On 6.4.2011 2:15, Chuck Swiger: >> 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default > There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role. I has been network administrator in bank. Be sure that "instalation of a data pack" is very different task that "change security related behavior of program that may/will affect all users". In the environment you mentioned, e.g. company taking security questions seriously, the skilled administrator (and/or security officer) will evaluate the situation and will create the link that affect all users, if apropriate. It will not be interested in blind "automagic" change. As I said before. Instalation of CA bundle SHOULD NOT affect all users automatically. The "pkg_add" don't know who install such pack nor why such pack is installed for so it can't decide the answer. Just my $0.02 Dan