Daniel Roethlisberger wrote:
I share your view that there should be functional HTTPS capability in
a base install.
I think we're all agreed on that, my point is that the statement "a base
install should have a CA bundle by default" does not have to imply
"every FreeBSD system must accept a the same CAs". A "base install" is
something that's been customized by the installer: we don't all have the
same keyboard, we don't all extract a ports tree at install time, so why
not make CA bundles part of the install-time customization?
Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not
subtractive: we can make it easy for users to install whatever CA
bundles they like, but if you put a bad CA cert in the base system, I
have to manually patch the base system, even in environments where I'd
rather use binary releases and freebsd-update.
Jon
--
Jonathan Anderson
[email protected]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
