From owner-freebsd-gecko@FreeBSD.ORG Fri Jul 4 02:33:45 2014 Return-Path: Delivered-To: gecko@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9604F3B6; Fri, 4 Jul 2014 02:33:45 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CA822157; Fri, 4 Jul 2014 02:33:45 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s642XdHe098208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jul 2014 19:33:39 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s642XcZa098207; Thu, 3 Jul 2014 19:33:38 -0700 (PDT) (envelope-from jmg) Date: Thu, 3 Jul 2014 19:33:38 -0700 From: John-Mark Gurney To: Poul-Henning Kamp Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140704023338.GS45513@funkthat.com> Mail-Followup-To: Poul-Henning Kamp , Eitan Adler , d@delphij.net, Ben Laurie , gecko@freebsd.org, Bryan Drewery , freebsd-security@freebsd.org, Jung-uk Kim , FreeBSD Ports Management Team , re , Jonathan Anderson References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <99544.1404401416@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <99544.1404401416@critter.freebsd.dk> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Thu, 03 Jul 2014 19:33:39 -0700 (PDT) X-Mailman-Approved-At: Fri, 04 Jul 2014 04:25:48 +0000 Cc: d@delphij.net, freebsd-security@freebsd.org, Ben Laurie , gecko@freebsd.org, Bryan Drewery , Jonathan Anderson , FreeBSD Ports Management Team , re , Jung-uk Kim X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2014 02:33:45 -0000 Poul-Henning Kamp wrote this message on Thu, Jul 03, 2014 at 15:30 +0000: > In message , Eitan Adler writes: > >On 3 July 2014 07:57, Jonathan Anderson wrote: > >> Just my $.02, but if the FreeBSD project is to maintain a > >> ca-root-freebsd.pem, I think it should have one certificate in it: the root > >> FreeBSD Project cert. Beyond that, I'm not willing to vouch for the > >> trustworthiness of any CA, and I don't think the Project should either. > > I think this makes a lot of sense: FreeBSD is not in the trust-business > and have no benefit from trying to enter it. Using a CA bundle for downloads is VERY different than pushing banking data across it... Yes, they are used for the same thing, but any CA cert is more trusted than using --no-verify-peer which is more trusted than using http... So, of course if we install a CA bundle, this does mean someone who uses lynx or other text based browser might now not get warnings about untrusted banking sites, but again, the CA bundle is primarily to increase the usability/reliability of fetch, not protecting banking sites... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."