On 2023-08-19 18:51, Taylor R Campbell wrote:
TL;DR -- I propose to: - Ship Mozilla's root CA certificates in base. - Have ftp(1) and pkg_add(1) use them for TLS validation by default. - Provide ways for you to persistently: . exclude individual CA certificates, . add to or change the root CA set altogether, or . let something else like a pkgsrc package manage /etc/openssl/certs, so that upgrading NetBSD won't override your TLS trust root decisions. Objections?
My objection in the past has been along the line of: If an organization is not willing to keep a CA bundle up-to-date for a user, then it should not dump a CA bundle that may grow stale onto their system either. But that's more of a "pick a well-trusted CA bundle, and provide a mirror of it that people can synchronize from -- and keep it up-to-date." argument, rather than a "don't do it" argument.
Will the in-tree bundle be updated regularly? I could probably live with "Keep your NetBSD base system updated to keep your CA bundle updated", but if I would rebuild my systems from the latest sources and not get the latest bundle I'd probably find it to be a little annoying.
Rhetorical Devil's advocate question: What's the potential blast radius for the worst case scenario where a CA's private key is compromised before its certificate expires and a bunch of NetBSD users don't update their bundle for two years?
-- Kind Regards, Jan