Date: Fri, 1 Apr 2011 17:30:09 -0600 From: Chad Perrin <perrin@apotheon.com> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: SSL is broken on FreeBSD Message-ID: <20110401233009.GA87214@guilt.hydra> In-Reply-To: <20110401225033.GL86409@numachi.com> References: <20110401153300.GA85392@guilt.hydra> <AANLkTi=fqSAMiGtGQO1%2Bt1QbhNY1m_S%2Bx294WX3zHpOK@mail.gmail.com> <4D9639B0.1070302@FreeBSD.org> <AANLkTi=17e7qE8yAACKiYSvpvsUZhDJu4e=mmM%2BhHwr8@mail.gmail.com> <4D963C23.4080100@FreeBSD.org> <AANLkTi=BrOUJsbJxdpg3-njsj-Msug-cnjH1ycLFrdPx@mail.gmail.com> <20110401212648.GK86409@numachi.com> <AANLkTikMSE9sx1StHQ4WRN7hq3hmPG3qetLRJkn8SCr9@mail.gmail.com> <4D9654BC.6040808@supsi.ch> <20110401225033.GL86409@numachi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 06:50:33PM -0400, Brian Reichert wrote: >=20 > That you got this same command to work implies you have a different > set of CAs than I. >=20 > His point (someone please correct me, if neccessary) is that without > what he considers a reasonable set of trusted CAs in place, SSL under > FreeBSD is 'broken'. >=20 > I interpret this thread now to be a debate of terms 'reasonable' > and 'trusted', and further, who's responsibility is it to populate > that list of CAs on his machine. In case anyone cares what I think . . . I don't think that either of the two options currently under discussion (quietly provide a "trusted" CA list or quietly failing to provide one) is optimal. In the best-case scenario, I guess there would be some self-evident system for letting the user choose what to use, if anything, giving a very brief, glancing explanation of the meaning of trust in this circumstance. Failing that -- given the options currently available to us without writing more software to do it differently in a way that's compatible with how we manage our OSes -- I don't much care whether a list of "trusted" CAs is included or not. The important thing here is knowledge, and both approaches under discussion fail to impart any knowledge upon the user, so it's six of one and half a dozen of the other. I'm open to being convinced it really matters, though, if someone has an argument more compelling than Istvan's. (This ignores the notion that there are simply better ways to validate certs than via CA trust, which is a somewhat separate issue.) --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WYAEACgkQ9mn/Pj01uKU8rACg74wu4fcam+38/YdNnq6nA/AN dA0An1EjiKPmzV6DMZt4RBPYIQ95SJM3 =ncbA -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110401233009.GA87214>