> Date: Wed, 23 Aug 2023 16:29:21 -0400
> From: Thor Lancelot Simon
>
> I would like to be sure we will avoid any use of public CA's certificates
> to establish trust for upgrades of NetBSD itself, or of packages. Otherwise,
> we will find ourselves in a situation where we can never recover if a
I would like to be sure we will avoid any use of public CA's certificates
to establish trust for upgrades of NetBSD itself, or of packages. Otherwise,
we will find ourselves in a situation where we can never recover if a CA
goes rogue.
Thor
On Sat, Aug 19, 2023 at 04:51:29PM +, Taylor R Camp
With the certctl patch on the table, I think it will be possible for
anybody who wants to
install mozilla-rootcerts
change certctl.conf to point to it
and get what abs@ wants for updates (which is different that everybody
getting it by default).
I am now in the "this is not really different
Taylor R Campbell writes:
> This is exactly what you get if you populate a directory
> /usr/local/mycerts with the .pem certificates you want and then add
> the line
>
> path /usr/local/mycerts
>
> to /etc/openssl/certs.conf, alongside the line
>
> path /usr/share/certs/mozilla/server
>
> which i
> Date: Sun, 20 Aug 2023 22:32:38 +0100
> From: David Brownlee
>
> There was a previous thread that mooted the idea of using the project
> built mozilla-rootcerts packages (which are just tarfiles) as the
> source for some mechanism to populate on-system certificates, such as
> your proposed cert
There was a previous thread that mooted the idea of using the project
built mozilla-rootcerts packages (which are just tarfiles) as the
source for some mechanism to populate on-system certificates, such as
your proposed certctl. (mozilla-rootcerts is the base package which
just populates into PREFI
> Date: Sun, 20 Aug 2023 10:38:01 -0400
> From: Greg Troxel
>
> I'd like to see three things handled (which might be already):
>
> 1)
>
> a way for a user to install a CA cert (as a trust anchor -- I think it
> would be good for docs to use pkix terminology) that is not part of
> the mozi
Overall I like this. Thank you for listening to the various comments
and coming up with a mechanism that is configurable for almost all
possible policies that have been expressed.
I'd like to see three things handled (which might be already):
1)
a way for a user to install a CA cert (as a tr
On 2023-08-20 08:12, Taylor R Campbell wrote:
[---]
Rhetorical Devil's advocate question: What's the potential blast
radius for the worst case scenario where a CA's private key is
compromised before its certificate expires and a bunch of NetBSD users
don't update their bundle for two years?
> Date: Sun, 20 Aug 2023 05:43:23 +0200
> From: Jan Danielsson
>
> My objection in the past has been along the line of: If an
> organization is not willing to keep a CA bundle up-to-date for a user,
> then it should not dump a CA bundle that may grow stale onto their
> system either. But
On 2023-08-19 18:51, Taylor R Campbell wrote:
TL;DR -- I propose to:
- Ship Mozilla's root CA certificates in base.
- Have ftp(1) and pkg_add(1) use them for TLS validation by default.
- Provide ways for you to persistently:
. exclude individual CA certificates,
. add to or change the root
11 matches
Mail list logo
