Date: Wed, 06 Apr 2011 03:01:30 +0200 From: Dan Lukes <dan@obluda.cz> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <4D9BBB6A.9020200@obluda.cz> In-Reply-To: <651452BB-74F3-4039-8E77-E332CC35A713@mac.com> References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com> <BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com> <1302042612.3271.100.camel@linux116.ctc.com> <4D9BACF6.4060205@obluda.cz> <651452BB-74F3-4039-8E77-E332CC35A713@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6.4.2011 2:15, Chuck Swiger: >> 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default > There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role. I has been network administrator in bank. Be sure that "instalation of a data pack" is very different task that "change security related behavior of program that may/will affect all users". In the environment you mentioned, e.g. company taking security questions seriously, the skilled administrator (and/or security officer) will evaluate the situation and will create the link that affect all users, if apropriate. It will not be interested in blind "automagic" change. As I said before. Instalation of CA bundle SHOULD NOT affect all users automatically. The "pkg_add" don't know who install such pack nor why such pack is installed for so it can't decide the answer. Just my $0.02 Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D9BBB6A.9020200>