From owner-freebsd-gecko@FreeBSD.ORG  Fri Jul  4 02:36:04 2014
Return-Path: <owner-freebsd-gecko@FreeBSD.ORG>
Delivered-To: gecko@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DF2243FB;
 Fri,  4 Jul 2014 02:36:04 +0000 (UTC)
Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "funkthat.com", Issuer "funkthat.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BA615215F;
 Fri,  4 Jul 2014 02:36:04 +0000 (UTC)
Received: from h2.funkthat.com (localhost [127.0.0.1])
 by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s642ZtPl098263
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 3 Jul 2014 19:35:55 -0700 (PDT)
 (envelope-from jmg@h2.funkthat.com)
Received: (from jmg@localhost)
 by h2.funkthat.com (8.14.3/8.14.3/Submit) id s642ZtN7098262;
 Thu, 3 Jul 2014 19:35:55 -0700 (PDT) (envelope-from jmg)
Date: Thu, 3 Jul 2014 19:35:55 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: d@delphij.net
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Message-ID: <20140704023555.GT45513@funkthat.com>
Mail-Followup-To: d@delphij.net, freebsd-security@freebsd.org,
 Ben Laurie <benl@freebsd.org>, gecko@freebsd.org,
 re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>
References: <53B499B1.4090003@delphij.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <53B499B1.4090003@delphij.net>
User-Agent: Mutt/1.4.2.3i
X-Operating-System: FreeBSD 7.2-RELEASE i386
X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88  9322 9CB1 8F74 6D3F A396
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2
 (h2.funkthat.com [127.0.0.1]); Thu, 03 Jul 2014 19:35:55 -0700 (PDT)
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
 re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, gecko@freebsd.org
X-BeenThere: freebsd-gecko@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Gecko Rendering Engine issues <freebsd-gecko.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gecko/>
List-Post: <mailto:freebsd-gecko@freebsd.org>
List-Help: <mailto:freebsd-gecko-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 02:36:05 -0000

Xin Li wrote this message on Wed, Jul 02, 2014 at 16:45 -0700:
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;

My only comment on this is that we (committers) or -core needs to decide
how certs are added/removed... If it's mirror mozzila's cert repo, then
that's fine, but if we don't have a policy, what will we do when other
CA's contact someone at FreeBSD wanting to get their cert included by
default?

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."