On 3 July 2014 07:57, Jonathan Anderson <[email protected]> wrote: > Just my $.02, but if the FreeBSD project is to maintain a > ca-root-freebsd.pem, I think it should have one certificate in it: the root > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the > trustworthiness of any CA, and I don't think the Project should either. Perhaps we should remove HTTPS support from libfetch and require the user to install wget or curl if they want to use SSL? Having a *default* certificate bundle (that could be removed / edited, of course) is not necessarily even making a trust claim about a particular cert. [0] IMHO the position where the majority of SSL on the internet is broken by default is not tenable. We support HTTP. We don't support HTTPS. The browsers spend a lot of time on this problem. We don't. I am not asserting that the Mozilla set is perfect. I am asserting that we should have *functional* SSL in the base system, and that using the Mozilla set is a good way to obtain that with a good enough policy. [0] It might be, but doesn't have to be [1] See https://wiki.mozilla.org/CA:How_to_apply and https://groups.google.com/forum/#!forum/mozilla.dev.security.policy -- Eitan Adler _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"