From owner-freebsd-security@FreeBSD.ORG  Wed Apr  6 01:15:57 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8BF2B106564A
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 01:15:57 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from asmtpout027.mac.com (asmtpout027.mac.com [17.148.16.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 741558FC13
	for <freebsd-security@freebsd.org>;
	Wed,  6 Apr 2011 01:15:57 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from cswiger1.apple.com ([17.209.4.71])
	by asmtp027.mac.com (Oracle Communications Messaging Exchange Server
	7u4-18.01 64bit (built Jul 15 2010)) with ESMTPSA id
	<0LJ7007ELFDQRW30@asmtp027.mac.com>
	for freebsd-security@freebsd.org; Tue, 05 Apr 2011 17:15:27 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.2.15,1.0.148,0.0.0000
	definitions=2011-04-05_10:2011-04-05, 2011-04-05,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1104050193
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <4D9BACF6.4060205@obluda.cz>
Date: Tue, 05 Apr 2011 17:15:26 -0700
Message-id: <651452BB-74F3-4039-8E77-E332CC35A713@mac.com>
References: <AANLkTin_zZgHRg7QtEwH2V8WOd=nvBcKdYvJkshGCt-R@mail.gmail.com>
	<BANLkTi=zOG0_tWbkAOex4ojXHdC8f-1v1w@mail.gmail.com>
	<1302042612.3271.100.camel@linux116.ctc.com>
	<4D9BACF6.4060205@obluda.cz>
To: Dan Lukes <dan@obluda.cz>
X-Mailer: Apple Mail (2.1084)
Cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: SSL is broken on FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 01:15:57 -0000

On Apr 5, 2011, at 4:59 PM, Dan Lukes wrote:
> 2. Such link will affect all users of system. Decision "what CA is trustful" should remain personal decision, not the system administrator decision, by default. Installation of ca-root-nss should not hit all users of system automatically.

Well, that depends on who owns and manages the machine in question, and what it is being used for.

There are differences between your personal machine, for which you as an individual are welcome to make all of the decisions, and a managed box which is owned by a company which might have a specific PKI infrastructure which is needed for the machine to be usable for it's intended role.

Regards,
-- 
-Chuck