SSL is broken on FreeBSD
richo
richo at psych0tik.net
Tue Apr 5 00:17:21 UTC 2011
On 05/04/11 06:57 +1000, Peter Jeremy wrote:
>On 2011-Apr-02 08:37:36 +0100, Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> wrote:
>>The only root CAs that could be included by default would be those of
>>governments (but which governments do you trust?) and things like
>>CAcert.org.
>
>Actually, there was a certificate port that included CAcert.org but
>the port was dropped for various reasons. And Mozilla doesn't
>currently trust CAcert.org so why should FreeBSD? (Note that Mozilla
>has defined an audit process to verify CAs and CAcert.org is slowly
>working towards compliance).
>
>It has occurred to me that maybe the FreeBSD SO should create a root
>cert and distribute that with FreeBSD. That certificate would at
>least have the same trust level as FreeBSD.
>
>--
>Peter Jeremy
But what would that CA trust?
You'd then find yourself back in the original debate of what is considered
trustworthy, which I agree is an issue for the user and not for the
distribution.
Out of idle curiosity, what does OpenBSD ship with their SSL implementation?
richo
--
richo || Today's excuse:
We didn't pay the Internet bill and it's been cut off.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110405/1e9481db/attachment.pgp
More information about the freebsd-security
mailing list