On 26.2.2021 2:07, John-Mark Gurney wrote:
Third party CA's are an untrusted automagical nightmare of global and
local MITM risk...
Do you delete all the CA's from your browsers then?
Yes, I'm cleaning them from browser, then I'm adding few CA as needed.
Despite of it, I'm not on grarpamp's side.
People are installing FreeBSD system on it's computer - it require a lot
of trust. Most of users can trust even CA list that's part of FreeBSD
system.
And those paranoid users like me ? We will check pre-installed CA list
all the times. We do it now and we will do it even in the future.
Because we trust no one. So we don't care what's content of file in
stock install.
So I don't vote for grarpamp's proposal. It will decrease effective
security of "standard user" and it will not help to the paranoid ones.
But it would be nice to know how it works. What CA are included into
distributed bundle ? Who is making the final decision ? What rules he is
obliged to follow ?
It should be documented somewhere.
Having tried to verify the certificate for a bank when verisign f'd
up their cert really doesn't work, trust me I've tried it, the
support has zero clue what you're talking about, and they have no
process to handle such a question...
My bank have defined process you are speaking of here. I has been IT
security officer of such bank and I defined process in question. For
about ten years, there has been one (!) call asking verification of the
certificate. And it has been call from my friend that has been curious
to verify if it works ...
Despite of it, it's not the argument related to the topic we are
speaking of about. Certificates are just tool. It can be used properly
or improperly. The proper use of tool depends on goal, so the goal needs
to be discussed first.
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
