Shipping SSL certificates in the base system

To: tech-userlevel%NetBSD.org@localhost
Subject: Shipping SSL certificates in the base system
From: Benny Siegert <bsiegert%gmail.com@localhost>
Date: Sun, 2 Jul 2017 17:27:06 +0100

The question of root certificates for OpenSSL in base came up recently in pkgsrc. That got me thinking: why does NetBSD not come with a set of certificates in the base system? The set that mozilla-rootcerts delivers would be a reasonable thing to put there, because 
(a) that’s what literally everyone ends up installing anyway and 
(b) it does not require us to make a moral judgement about individual CAs.

This would have the advantage of no longer requiring to install mozilla-rootcerts explicitly. This removes one source of confusion too; for a n00b, it is not obvious that this is necessary, or why. Thus, it would be a sane default.

Disadvantage: the script that takes the file from mozilla and munges it is in Perl. But its _output_ could be checked in instead, so that the script does not need to be run during a build. (There might also be issues around licensing, but I defer to others for that.)

agc made the argument that including certificates is similar to including time zone data, which we do. We do not tell users to install a package to use non-UTC timezones, for instance.

What do you think?

—Benny.

Follow-Ups:
- Re: Shipping SSL certificates in the base system
  - From: Greg Troxel
- Re: Shipping SSL certificates in the base system
  - From: Joerg Sonnenberger

Prev by Date: Re: non-root ntpd
Next by Date: Re: Shipping SSL certificates in the base system
Previous by Thread: non-root ntpd
Next by Thread: Re: Shipping SSL certificates in the base system
Indexes:

Home | Main Index | Thread Index | Old Index