From owner-freebsd-questions@freebsd.org Fri Jan 22 13:29:12 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 69763A8D4AD for ; Fri, 22 Jan 2016 13:29:12 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C7E91F5B for ; Fri, 22 Jan 2016 13:29:11 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id u0MDStoI067619 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 22 Jan 2016 13:28:55 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk u0MDStoI067619 Authentication-Results: smtp.infracaninophile.co.uk/u0MDStoI067619; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be zero-gravitas.local Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer To: kpneal@pobox.com References: <569F4344.5020907@FreeBSD.org> <20160120115808.6133c482@gecko4> <569FC320.1080906@freebsd.org> <20160120181129.08eedbbc@gecko4> <56A08FC1.1080701@FreeBSD.org> <20160122131135.GA12085@neutralgood.org> Cc: mfv@bway.net, Anton Sayetsky , FreeBSD Questions From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <56A22E91.5030606@FreeBSD.org> Date: Fri, 22 Jan 2016 13:28:49 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <20160122131135.GA12085@neutralgood.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ" X-Virus-Scanned: clamav-milter 0.99 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2016 13:29:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/01/22 13:11, kpneal@pobox.com wrote: > On Thu, Jan 21, 2016 at 07:58:57AM +0000, Matthew Seaman wrote: >> On 20/01/2016 23:11, mfv wrote: >>> I do not know how ca_root_nss works but will save that for another da= y. >>> Right now, it just works, without any intervention on my part. Kudos= >>> to the developers. >> >> ca_root_nss is just a list of Certification Authority certificates, >> which OpenSSL will trust by default. It's derived from the list of >> certificates that is built into Firefox for the same purpose. >> >> 'Trust' in this sense means that you're trusting the CA to verify that= >> the identity they've signed a certificate for is legitimately the >> property of the people requesting it. Various CAs have been expelled >> from that list over time, due to incompetence or because they were fou= nd >> to be the tools of a repressive regime, so it's important to keep >> ca-root_nss up to date. >=20 > Say, won't DNSSEC+DANE eliminate the need for a CA?=20 >=20 > Or, at the very least, it will allow for certificates to be designated = as > ONLY coming from a specific CA. Yes indeed. DNSSEC+DANE is another way of being able to declare to the world that you own a specific SSL key / cert in a cryptographically secure manner. To trust DANE, you essentially have to trust that DNSSEC is secure -- which is quite a reasonable thing to do -- and assume that the people in control of the DNS for example.com are at least allied with the people that manage the site at https://foo.example.com/ (this will usually be the case, but it's possibly the least reliable step in this concept.) Whether DANE will make CAs obsolete remains to be seen. It's pretty useful for SMTP over TLS at the moment, but most other applications need client-side support added. Cheers, Matthew --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWoi6XXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnDO0P/1HXzMb5jyzm5s04unEMnL5F ralUW5lU4ApfqFhz1spupadqh0LFQ2Nri+g9tmPk8SgFS4riyUIt43uOLVGbezAJ +a06HX/mIUNGbHns2To6XynqxZvD4DOvj0XZRCtzRMV49RwEZWMs91v2qrwzotAC aLV+BAQo/xT6JxY12xm+SlaY2IrzKe0jUCCI06v3jKRkrMfwxjLAXiHYfNXBrdVx SS8gIWkpDh9EylSjJBp5N74KGj/BgrJF3MYKbgCbpREKtJRxPorAM3UzVSPK9FKJ APL8mCpnrFT09rLMWhazuj1If8FCCCbzG+Nk67vywB2wn5DtQIvWhEuKUlZuIF+K z5JW2HgYF6OofI8mqS7Q80BWPgWr13fMXmsl34CZFlCF0GSoocEyVRXFLUn/4hWH Bvyb/SibBb4bH8jNvg9wUi5aN0EcO4gdkkN3L1XQtCs2KyRdsg2xOOpNpyr1XaqX MtYYLVjHd+1jiR6rXP4vxXkaeZQ/8/qGi0PnrZveX8p3pU3QawBqba+la7AlA/AA A6X944eed2HSdVRJqEIBS/kFN7PTkXZL64GMoWY/ZRFwkC8ugCJpGj2NqBAV4DgB +aydfY2D6nN4+QUB4GazdtDTD8eX31za/1Z6BOY+arCVmnCYS3XHB0+y27/DHFXH iswBrndbp0P4udX6oeoJ =gAvT -----END PGP SIGNATURE----- --rbqTeSEVCRjwILp42XjHkncwHtFfulwNQ--