From owner-freebsd-stable@freebsd.org  Sun Sep 16 16:54:33 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EBF510A5C4E
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Sun, 16 Sep 2018 16:54:33 +0000 (UTC) (envelope-from pi@freebsd.org)
Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A6142708E9;
 Sun, 16 Sep 2018 16:54:32 +0000 (UTC) (envelope-from pi@freebsd.org)
Received: from pi by home.opsec.eu with local (Exim 4.91 (FreeBSD))
 (envelope-from <pi@freebsd.org>)
 id 1g1aJa-000GzA-Rb; Sun, 16 Sep 2018 18:54:30 +0200
Date: Sun, 16 Sep 2018 18:54:30 +0200
From: Kurt Jaeger <pi@freebsd.org>
To: tech-lists <tech-lists@zyxst.net>
Cc: Glen Barber <gjb@freebsd.org>,
 "Montgomery-Smith, Stephen" <stephen@missouri.edu>,
 "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>
Subject: Re: Error validating server certificate
Message-ID: <20180916165430.GG2118@home.opsec.eu>
References: <f168a02e-8959-aa91-2190-8fbe6d61e07b@missouri.edu>
 <20180912143719.GQ24641@FreeBSD.org>
 <03f42d93-57b0-062d-0fee-720c6444e58c@zyxst.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <03f42d93-57b0-062d-0fee-720c6444e58c@zyxst.net>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Sep 2018 16:54:33 -0000

Hi!

> > You will not see this if you install the security/ca_root_nss port.

> Why is security/ca_root_nss not present in base?

There are several reasons:

- The project is hesistant to endorse certificate authorities (CAs), as some
  of them might be (or become) of questionable trust-worthyness
  during the lifetime of a release and adding/changing all or some to base
  would add workload to decide which ones to include or to exclude.

- The amount of work to cut a new release or a patch for a release
  is large. If you look at the update frequency for the port:
  https://www.freshports.org/security/ca_root_nss/
  it would burden the project with base updates just for the CAs.

- Some suggested that the FreeBSD project should operate its own CA and
  issue certs for project sites and include the CA into base.
  Running and securing a CA is not a simple endeavour so we hesitated
  to do so.

> I mean, on a brand new install, one goes to update the sources, and just 
> the sources. And this error is issued?
> 
> I think it looks bad. Do you agree?

Yes, we all agree that it looks bad, but we have not yet found a simple,
workable solution. Yes, it was discussed many times in the past.

-- 
pi@FreeBSD.org         +49 171 3101372              2 years to go !