(1) The pkg_add man page sais that digitally signed packages are checked against authorities in /etc/ssl/pkgca.pem.
I didn't find this pkgca.pem at said place, although pkg_add is indeed installed. I suppose checking of digitally signed packages will not be possible without these certificates. So where will that pkgca.pem come from? And how is it constituted? mozilla has a "CA policy", but I doubt it really works, since rogue CAs already did bad things (to people) via mozilla's CAs. How are things done in OpenBSD? (2) What I found in /etc/ssl was a cert.pem which apparently contained CAs. Some question: Where did it come from? How was it constituted by the OpenBSD team? Is there some kind of CA policy? (3) Displaying that certificate file with openssl x509 -noout -in cert.pem -text [or -issuer or -subject] yielded data of ONE certificate. However, with "less cert.pem" it's quickly obvious that the file contains lots of certificates from different CAs. This seems quite strange to me. Not even a warning, nothing which tells that the file contains many certificates. There does not seem to be an option to list all the certificates in such a cert.pem file. Of course I can grep the somewhat cluttered fields. But shouldn't it be easy to list the CAs contained in such file? In fact, that cert.pem is a keyring. Which commands exist to examine such a keyring? Generally speaking (not especially on OpenBSD!), I find it difficult to check certificates. I did this exercise on a linux box and found hundrets of certificates in different places. The tools seem to be more or less useful to create certificates from data, but not at all for easily getting an overview of where all the trust they represent goes. It's useful to build a hierarchical system, but not to clearly show it, and how it works, to the user. This seems bad to me. Peer
