Date: Fri, 26 Feb 2021 08:41:21 +0100 From: Dan Lukes <dan@obluda.cz> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> In-Reply-To: <20210226010750.GY5246@funkthat.com> References: <CAD2Ti28EPBshbVEJbT8WE-OiWq_qMTS3b=LeQSfJrOfkFT4VJg@mail.gmail.com> <20210226010750.GY5246@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26.2.2021 2:07, John-Mark Gurney wrote: >> Third party CA's are an untrusted automagical nightmare of global and >> local MITM risk... > > Do you delete all the CA's from your browsers then? Yes, I'm cleaning them from browser, then I'm adding few CA as needed. Despite of it, I'm not on grarpamp's side. People are installing FreeBSD system on it's computer - it require a lot of trust. Most of users can trust even CA list that's part of FreeBSD system. And those paranoid users like me ? We will check pre-installed CA list all the times. We do it now and we will do it even in the future. Because we trust no one. So we don't care what's content of file in stock install. So I don't vote for grarpamp's proposal. It will decrease effective security of "standard user" and it will not help to the paranoid ones. But it would be nice to know how it works. What CA are included into distributed bundle ? Who is making the final decision ? What rules he is obliged to follow ? It should be documented somewhere. > Having tried to verify the certificate for a bank when verisign f'd > up their cert really doesn't work, trust me I've tried it, the > support has zero clue what you're talking about, and they have no > process to handle such a question... My bank have defined process you are speaking of here. I has been IT security officer of such bank and I defined process in question. For about ten years, there has been one (!) call asking verification of the certificate. And it has been call from my friend that has been curious to verify if it works ... Despite of it, it's not the argument related to the topic we are speaking of about. Certificates are just tool. It can be used properly or improperly. The proper use of tool depends on goal, so the goal needs to be discussed first. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?77c6d5bf-a213-5fae-df0d-542aa9a4a0a5>