tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] HTTPS/TLS CA certificates in base

On 2023-08-19 18:51, Taylor R Campbell wrote:
TL;DR -- I propose to:

- Ship Mozilla's root CA certificates in base.
- Have ftp(1) and pkg_add(1) use them for TLS validation by default.
- Provide ways for you to persistently:
   . exclude individual CA certificates,
   . add to or change the root CA set altogether, or
   . let something else like a pkgsrc package manage /etc/openssl/certs,
   so that upgrading NetBSD won't override your TLS trust root


My objection in the past has been along the line of: If an organization is not willing to keep a CA bundle up-to-date for a user, then it should not dump a CA bundle that may grow stale onto their system either. But that's more of a "pick a well-trusted CA bundle, and provide a mirror of it that people can synchronize from -- and keep it up-to-date." argument, rather than a "don't do it" argument.

Will the in-tree bundle be updated regularly? I could probably live with "Keep your NetBSD base system updated to keep your CA bundle updated", but if I would rebuild my systems from the latest sources and not get the latest bundle I'd probably find it to be a little annoying.

Rhetorical Devil's advocate question: What's the potential blast radius for the worst case scenario where a CA's private key is compromised before its certificate expires and a bunch of NetBSD users don't update their bundle for two years?

Kind Regards,

Home | Main Index | Thread Index | Old Index