Include OpenSSL root CA cert list?
If something like this already exists, then my searches must have missed it. In order to improve the usefulness of the openssl installation, I would like to suggest that a collection of CA root certs be added to the base installation and perhaps even referenced by the conf file. Included with the mod-ssl package there is a file called ca-bundle.crt, which purports to be the certificate list that comes with Netscape Navigator/Communicator. I propose to include this file under /usr/share, perhaps as /usr/share/openssl/ca-bundle.crt. For those unfamiliar, SSL security works by starting with a list of trusted certificates. This list serves a similar purpose as the DNS root cache -- it serves as a starting place for establishing the trustworthiness of SSL certificates. The roots are trusted, and a path of authority can be traced down from the root certs through intermediate certificates finally to a cert that might be used for either an SSL server or S/MIME mail signing or code signing or whatever. By incorporating this file, certificate verification becomes possible merely with a default installation of FreeBSD. And there's no reason that the list should stay static, although I would suggest it would be up to us to come up with some sort of criteria for determining the level of security required for an arbitrary CA to be deemed "trustworthy". What does everyone think? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Include OpenSSL root CA cert list?
In message [EMAIL PROTECTED], Nick Sayer writes: If something like this already exists, then my searches must have missed it. In order to improve the usefulness of the openssl installation, I would like to suggest that a collection of CA root certs be added to the base installation and perhaps even referenced by the conf file. What does everyone think? Make it a port... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Include OpenSSL root CA cert list?
On Mon, 4 Sep 2000, Poul-Henning Kamp wrote: In message [EMAIL PROTECTED], Nick Sayer writes: If something like this already exists, then my searches must have missed it. In order to improve the usefulness of the openssl installation, I would like to suggest that a collection of CA root certs be added to the base installation and perhaps even referenced by the conf file. What does everyone think? Make it a port... This is probably fair enough - nothing in the base system needs these, at least until fetch learns how to speak https. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
