From owner-freebsd-gecko@FreeBSD.ORG  Thu Jul  3 14:57:16 2014
Return-Path: <owner-freebsd-gecko@FreeBSD.ORG>
Delivered-To: gecko@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F1079E6D;
 Thu,  3 Jul 2014 14:57:15 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DB58821E6;
 Thu,  3 Jul 2014 14:57:15 +0000 (UTC)
Received: from janderson.engr.mun.ca (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s63EvEan012348;
 Thu, 3 Jul 2014 14:57:14 GMT (envelope-from jonathan@FreeBSD.org)
Message-ID: <53B56F49.7030109@FreeBSD.org>
Date: Thu, 03 Jul 2014 12:27:13 -0230
From: Jonathan Anderson <jonathan@FreeBSD.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Bryan Drewery <bdrewery@FreeBSD.org>
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org>
In-Reply-To: <53B4B7FB.6070407@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: d@delphij.net, Ben Laurie <benl@freebsd.org>, gecko@FreeBSD.org,
 freebsd-security@FreeBSD.ORG,
 FreeBSD Ports Management Team <portmgr@FreeBSD.org>, re <re@freebsd.org>,
 Jung-uk Kim <jkim@freebsd.org>
X-BeenThere: freebsd-gecko@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Gecko Rendering Engine issues <freebsd-gecko.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gecko/>
List-Post: <mailto:freebsd-gecko@freebsd.org>
List-Help: <mailto:freebsd-gecko-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 14:57:16 -0000


Bryan Drewery wrote:
 > libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.

How very sensible!


> I like the idea of secteam maintaining a ca-root-freebsd.pem even
> better, as long as you are willing to.

Just my $.02, but if the FreeBSD project is to maintain a 
ca-root-freebsd.pem, I think it should have one certificate in it: the 
root FreeBSD Project cert. Beyond that, I'm not willing to vouch for the 
trustworthiness of any CA, and I don't think the Project should either.

Let people install CA bundles from packages, even give admins the choice 
of "the Mozilla bundle" vs "Dr Guru's paranoid bundle" vs whatever, but 
I don't think the Project should be in the business of endorsing any 
particular CA in the base system.


> IMHO always install it, don't depend on MK_OPENSSL. Is the file actually
> specific to OpenSSL? Ports would love to have it be available all the
> time regardless of SSL library choices.

Or we could patch the OpenSSL port to use /usr/local/etc/ssl too?


Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org