From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 00:17:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84059106564A for ; Tue, 5 Apr 2011 00:17:21 +0000 (UTC) (envelope-from richo@psych0tik.net) Received: from bedford.accountservergroup.com (50.22.11.19-static.reverse.softlayer.com [50.22.11.19]) by mx1.freebsd.org (Postfix) with ESMTP id 4AD338FC15 for ; Tue, 5 Apr 2011 00:17:21 +0000 (UTC) Received: from boxand.lnk.telstra.net ([203.45.130.125] helo=richh-desktop.boxdice.com.au) by bedford.accountservergroup.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1Q6srE-0007Ba-RQ for freebsd-security@freebsd.org; Mon, 04 Apr 2011 18:06:53 -0500 Date: Tue, 5 Apr 2011 09:05:47 +1000 From: richo To: freebsd-security@freebsd.org Message-ID: <20110404230546.GA25778@richh-desktop.boxdice.com.au> References: <1301729856.5812.12.camel@w500.local> <20110404205705.GA52172@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <20110404205705.GA52172@server.vk2pj.dyndns.org> X-PGP-Key: http://natalya.psych0tik.net/~richo/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bedford.accountservergroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - psych0tik.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 00:17:21 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 05/04/11 06:57 +1000, Peter Jeremy wrote: >On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos wrote: >>The only root CAs that could be included by default would be those of >>governments (but which governments do you trust?) and things like >>CAcert.org. > >Actually, there was a certificate port that included CAcert.org but >the port was dropped for various reasons. And Mozilla doesn't >currently trust CAcert.org so why should FreeBSD? (Note that Mozilla >has defined an audit process to verify CAs and CAcert.org is slowly >working towards compliance). > >It has occurred to me that maybe the FreeBSD SO should create a root >cert and distribute that with FreeBSD. That certificate would at >least have the same trust level as FreeBSD. > >--=20 >Peter Jeremy But what would that CA trust? You'd then find yourself back in the original debate of what is considered trustworthy, which I agree is an issue for the user and not for the distribution. Out of idle curiosity, what does OpenBSD ship with their SSL implementation? richo --=20 richo || Today's excuse:=20 We didn't pay the Internet bill and it's been cut off. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNmk7KAAoJEIKiWz6J5yQV61cH/1Kq/xqDAiC7Zo8T7hqLA/qh awy64wKbBadSmgETrss55WJZb0QdIcFnza4Cplej3yBQXPWTayP0McPrajOYGajc OS7iLTy/MxR6kNmBf/aqFcPiZo6eF1pfigIvKlrEc+o9gHWPTQw3fQ1j8pf6T0HS dVQf0Uw0+/IIUhy/JiI6qTaXTTFRxuXJi9C0PW4siICQp6gO8Q8Ep+Nb1u1BQdvw 0c4cYW7sZwRVM1+keCFTdWxzN5VA38wS2H2/NVYgsdIRqhiFUCM3GYWch1tkdg/T kUoQZbkuypSRoqsww/YvFBTKhlhpgbnjD+EAyk1k2IDVrcAyRcdVb0FIhHweKpU= =smOp -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--