On 2023-08-19 18:51, Taylor R Campbell wrote:
TL;DR -- I propose to:
- Ship Mozilla's root CA certificates in base.
- Have ftp(1) and pkg_add(1) use them for TLS validation by default.
- Provide ways for you to persistently:
. exclude individual CA certificates,
. add to or change the root CA set altogether, or
. let something else like a pkgsrc package manage /etc/openssl/certs,
so that upgrading NetBSD won't override your TLS trust root
decisions.
Objections?
My objection in the past has been along the line of: If an
organization is not willing to keep a CA bundle up-to-date for a user,
then it should not dump a CA bundle that may grow stale onto their
system either. But that's more of a "pick a well-trusted CA bundle, and
provide a mirror of it that people can synchronize from -- and keep it
up-to-date." argument, rather than a "don't do it" argument.
Will the in-tree bundle be updated regularly? I could probably live
with "Keep your NetBSD base system updated to keep your CA bundle
updated", but if I would rebuild my systems from the latest sources and
not get the latest bundle I'd probably find it to be a little annoying.
Rhetorical Devil's advocate question: What's the potential blast
radius for the worst case scenario where a CA's private key is
compromised before its certificate expires and a bunch of NetBSD users
don't update their bundle for two years?
--
Kind Regards,
Jan
