If something like this already exists, then my searches must have
missed it.

In order to improve the usefulness of the openssl installation,
I would like to suggest that a collection of CA root certs be
added to the base installation and perhaps even referenced by
the conf file.

Included with the mod-ssl package there is a file called ca-bundle.crt,
which purports to be the certificate list that comes with
Netscape Navigator/Communicator. I propose to include this file
under /usr/share, perhaps as /usr/share/openssl/ca-bundle.crt.

For those unfamiliar, SSL security works by starting with a list
of trusted certificates. This list serves a similar purpose as
the DNS root cache -- it serves as a starting place for establishing
the trustworthiness of SSL certificates. The roots are trusted, and
a path of authority can be traced down from the root certs through
intermediate certificates finally to a cert that might be used for
either an SSL server or S/MIME mail signing or code signing or

By incorporating this file, certificate verification becomes possible
merely with a default installation of FreeBSD. And there's no reason
that the list should stay static, although I would suggest it would
be up to us to come up with some sort of criteria for determining the
level of security required for an arbitrary CA to be deemed "trustworthy".

What does everyone think?

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to