From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 23:42:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2191106566C for ; Fri, 1 Apr 2011 23:42:32 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by mx1.freebsd.org (Postfix) with SMTP id 8F4AC8FC0A for ; Fri, 1 Apr 2011 23:42:32 +0000 (UTC) Received: (qmail 2145 invoked by uid 0); 1 Apr 2011 23:42:32 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by cpoproxy3.bluehost.com with SMTP; 1 Apr 2011 23:42:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=jjEDuevTS9iWMYSG8zlLACZyBhH4bZdUn5NoJOLHqyJz3l3p+bWZ65FxYDMs2H1MMUWEmbOUaAddsY2VffAwN8oGYNGxx1jieJCGmkpFTwPeF5ISv078Fo+emwNMpN4J; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Q5nz4-0006EC-Cs for freebsd-security@freebsd.org; Fri, 01 Apr 2011 17:42:31 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 01 Apr 2011 17:30:09 -0600 Date: Fri, 1 Apr 2011 17:30:09 -0600 From: Chad Perrin To: freebsd-security Message-ID: <20110401233009.GA87214@guilt.hydra> Mail-Followup-To: freebsd-security References: <20110401153300.GA85392@guilt.hydra> <4D9639B0.1070302@FreeBSD.org> <4D963C23.4080100@FreeBSD.org> <20110401212648.GK86409@numachi.com> <4D9654BC.6040808@supsi.ch> <20110401225033.GL86409@numachi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <20110401225033.GL86409@numachi.com> User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 23:42:32 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 01, 2011 at 06:50:33PM -0400, Brian Reichert wrote: >=20 > That you got this same command to work implies you have a different > set of CAs than I. >=20 > His point (someone please correct me, if neccessary) is that without > what he considers a reasonable set of trusted CAs in place, SSL under > FreeBSD is 'broken'. >=20 > I interpret this thread now to be a debate of terms 'reasonable' > and 'trusted', and further, who's responsibility is it to populate > that list of CAs on his machine. In case anyone cares what I think . . . I don't think that either of the two options currently under discussion (quietly provide a "trusted" CA list or quietly failing to provide one) is optimal. In the best-case scenario, I guess there would be some self-evident system for letting the user choose what to use, if anything, giving a very brief, glancing explanation of the meaning of trust in this circumstance. Failing that -- given the options currently available to us without writing more software to do it differently in a way that's compatible with how we manage our OSes -- I don't much care whether a list of "trusted" CAs is included or not. The important thing here is knowledge, and both approaches under discussion fail to impart any knowledge upon the user, so it's six of one and half a dozen of the other. I'm open to being convinced it really matters, though, if someone has an argument more compelling than Istvan's. (This ignores the notion that there are simply better ways to validate certs than via CA trust, which is a somewhat separate issue.) --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk2WYAEACgkQ9mn/Pj01uKU8rACg74wu4fcam+38/YdNnq6nA/AN dA0An1EjiKPmzV6DMZt4RBPYIQ95SJM3 =ncbA -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--