On 2023-08-20 08:12, Taylor R Campbell wrote:
[---]
Rhetorical Devil's advocate question: What's the potential blast
radius for the worst case scenario where a CA's private key is
compromised before its certificate expires and a bunch of NetBSD users
don't update their bundle for two years?
On 2023-08-19 18:51, Taylor R Campbell wrote:
TL;DR -- I propose to:
- Ship Mozilla's root CA certificates in base.
- Have ftp(1) and pkg_add(1) use them for TLS validation by default.
- Provide ways for you to persistently:
. exclude individual CA certificates,
. add to or change the root
ory
entries, on the other hand, is a direct hindrance.
I don't see why anyone would disagree with the proposal to add
colorls disabled by default though. If the default color scheme doesn't
suck, I'll even give it try myself.
--
Kind Regards,
Jan Danielsson
that's the norm, then it's pretty
trivial to write a "weblogin" tool which could be included in base for
these types of bootstrapping needs.
--
Kind regards,
Jan Danielsson
*that's* what we're saying.
Anywho, when people start assigning obviously incorrect beliefs to
you in a discussion you know it'll just get uglier, so I'm out.
[---]
> But they are better than nothing. Deal.
I literally have zero power to affect any decisions, so I have no
other option than to "Deal". :)
--
Kind regards,
Jan Danielsson
f "let's ship a bundle of outdated certs, with no means of keeping
them up-to-date, just to shut programs up.", which was my interpretation
of the original suggestion. (Your reply made it clear that I hadn't
made that point sufficiently clear in my previous posts).
I like the direction you're taking this; please don't take my posts
as discouragement.
--
Kind regards,
Jan Danielsson
ted if
they assigned a Chief PKI Officer role and offered a proper CA
distribution solution).
With all that being said, you're not wrong about the complexities of
X509 actually lowering security in many instances, but it's still the
user's choice to do so.
--
Kind Regards,
Jan Danielsson
;s a good illustration of
why it's a bad idea to just hand over a bunch of CA's to users without
any mechanism for keeping the CA database, and CRL's, up to date.
Mozilla and Google like to update their browsers every few hours,
which is annoying, but at least it helps keep the PKI datastore up to date.
--
Kind regards,
Jan Danielsson
On 18/03/16 01:34, James K. Lowden wrote:
[---]
> 4. -q option to print nothing if no error
Would you consider making it quiet by default?
It's kind of annoying having to silence tools run in cronjobs, I much
prefer "say nothing unless you have something important to say.".
--
Kind Regar
