Benny Siegert <bsiegert%gmail.com@localhost> writes: > The question of root certificates for OpenSSL in base came up recently > in pkgsrc. That got me thinking: why does NetBSD not come with a set > of certificates in the base system? The set that mozilla-rootcerts > delivers would be a reasonable thing to put there, because > (a) that’s what literally everyone ends up installing anyway and > (b) it does not require us to make a moral judgement about individual CAs. The comparision to tzdata is not quite right. Timezones are just facts about what names mean. The mozilla CA set, not configured as trust anchors, is arguably the same conceptually. But once configured as trust anchors, it's a trust decision. So it's like the ssh fingerprints for TNF hosts in /etc/ssh/ssh_known_hosts, but with a level of indirection. I agree that the perl issue is easy to address. Maybe kre can rewrite the script in sh/sed/awk :-) Overall, I think this is a difficult issue. Part of the problem is that the whole CA situation is a bit surreal, having a large number of CAs that are in theory all trustworthy when logic defies that conclusion. But, it is how people validate X.509. There are several questions that I think need answering as part of a proposal to add the mozilla set: 1) What do other Free opereating systems do? What was their thought process in terms of balancing convenience, good engineering judgement and security? How has it worked out? 2) Do any programs in the base system validate certificate chains, or fail to accept unvalidated certificates, by default? If not, why is this a base issue? Or are you also proposing to change those defaults? 3) Do other operating systems just use the mozilla set? One controversial issue is the US government CA hierarchy, which I run into on government sites. As I understand it, they have't met the mozilla criteria, but they seem well run, and the risk of government misbhehavior seems significant for all CAs associated with governments or in countries where government/CA is blurred, and I have the impression quite a few CAs for which government misbehavior is a rational concern are in the mozilla set. Probably the same issue exists for other national CAs. I'm not really oppposed, more very reluctant to conclude this is ok, but I'm not sure that's rational.
Attachment:
signature.asc
Description: PGP signature