On 2023-08-20 08:12, Taylor R Campbell wrote:
[---]
Rhetorical Devil's advocate question: What's the potential blast
radius for the worst case scenario where a CA's private key is
compromised before its certificate expires and a bunch of NetBSD users
don't update their bundle for two years?
Overall I like this. Thank you for listening to the various comments
and coming up with a mechanism that is configurable for almost all
possible policies that have been expressed.
I'd like to see three things handled (which might be already):
1)
a way for a user to install a CA cert (as a tr
> Date: Sun, 20 Aug 2023 10:38:01 -0400
> From: Greg Troxel
>
> I'd like to see three things handled (which might be already):
>
> 1)
>
> a way for a user to install a CA cert (as a trust anchor -- I think it
> would be good for docs to use pkix terminology) that is not part of
> the mozi
There was a previous thread that mooted the idea of using the project
built mozilla-rootcerts packages (which are just tarfiles) as the
source for some mechanism to populate on-system certificates, such as
your proposed certctl. (mozilla-rootcerts is the base package which
just populates into PREFI
On Aug 5, 2023, at 12:11 PM, Greg Troxel wrote:
>
> As for 'external SDK', that would be "install some other OS and cross
> build", but when you cross build for android or ios, you do that from a
> system which is a full install.
This isn’t the case for the Apple platforms; Xcode comes with sysr
> Date: Sun, 20 Aug 2023 22:32:38 +0100
> From: David Brownlee
>
> There was a previous thread that mooted the idea of using the project
> built mozilla-rootcerts packages (which are just tarfiles) as the
> source for some mechanism to populate on-system certificates, such as
> your proposed cert
