Stuart Henderson wrote: > On 2015-07-30, Ted Unangst <t...@tedunangst.com> wrote: > > Michael McConville wrote: > >> > Another meat could be, why you're using self-signed certificates? > >> > Given the plethora of options for getting free (valid) certificates. > >> > >> He mentioned in his original email that it's a requirement where he > >> works. That's common, from what I hear, although probably not the > >> safest. > > > > I would consider a cert signed by somebody I actually trust (me) safer than > > delegating that trust to 300 strangers. > > I think cert.pem should move to the etc set, so you can remove > CAs from the file (as well as add new ones) without risk of those > changes getting reverted. > > Downside: CA changes will then only take effect after running > sysmerge. Is that a problem?
Not in my mind. I'm all for this; it's outside my department or I would have suggested the same.
