On Fri, Apr 01, 2011 at 06:50:33PM -0400, Brian Reichert wrote: > > That you got this same command to work implies you have a different > set of CAs than I. > > His point (someone please correct me, if neccessary) is that without > what he considers a reasonable set of trusted CAs in place, SSL under > FreeBSD is 'broken'. > > I interpret this thread now to be a debate of terms 'reasonable' > and 'trusted', and further, who's responsibility is it to populate > that list of CAs on his machine.
In case anyone cares what I think . . . I don't think that either of the two options currently under discussion (quietly provide a "trusted" CA list or quietly failing to provide one) is optimal. In the best-case scenario, I guess there would be some self-evident system for letting the user choose what to use, if anything, giving a very brief, glancing explanation of the meaning of trust in this circumstance. Failing that -- given the options currently available to us without writing more software to do it differently in a way that's compatible with how we manage our OSes -- I don't much care whether a list of "trusted" CAs is included or not. The important thing here is knowledge, and both approaches under discussion fail to impart any knowledge upon the user, so it's six of one and half a dozen of the other. I'm open to being convinced it really matters, though, if someone has an argument more compelling than Istvan's. (This ignores the notion that there are simply better ways to validate certs than via CA trust, which is a somewhat separate issue.) -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
pgpu4TE1qOB8l.pgp
Description: PGP signature
