On Apr 4, 2011, at 7:39 PM, "Garrett Wollman" <woll...@bimajority.org> wrote:
> <<On Tue, 5 Apr 2011 09:05:47 +1000, richo <ri...@psych0tik.net> said: > >> On 05/04/11 06:57 +1000, Peter Jeremy wrote: >>> It has occurred to me that maybe the FreeBSD SO should create a root >>> cert and distribute that with FreeBSD. That certificate would at >>> least have the same trust level as FreeBSD. >>> >>> -- >>> Peter Jeremy > >> But what would that CA trust? > > The certificates he also generates for services like freebsd-update > and portsnap. And probably also a certificate for use in email to the > security-officer role, so that those benighted people who only have > access to S/MIME email can still send him private messages. Ideally > it would also be used to sign the CHECKSUMS files on the FTP site, so > that the installer could check whether it was talking to an authentic > mirror site and ask the user what to do. > Not ideally, but rather critically, should the CHECKSUMS files be signed with some well guarded and official public key. Not to sound paranoid or anything... I would welcome having a 'FreeBSD' root certificate ship with the OS but would leave the other certs to the domain of a port that I install when needed. FWIW (and forgive me if this is already the case) it would be nice to have a port equivalent to security/ca_root_nss that would allow the user to select which certs get installed during configuration. Cheers, Dan van Pelt _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
