On Thu, July 30, 2015 5:17 pm, Stuart Henderson wrote: > On 2015-07-30, Vadim Zhukov <[email protected]> wrote: >> 2015-07-30 20:16 GMT+03:00 Stuart Henderson <[email protected]>: >>> On 2015-07-30, Ted Unangst <[email protected]> wrote: >>>> Michael McConville wrote: >>>>> > Another meat could be, why you're using self-signed certificates? >>>>> > Given the plethora of options for getting free (valid) >>>>> certificates. >>>>> >>>>> He mentioned in his original email that it's a requirement where he >>>>> works. That's common, from what I hear, although probably not the >>>>> safest. >>>> >>>> I would consider a cert signed by somebody I actually trust (me) safer >>>> than >>>> delegating that trust to 300 strangers. >>> >>> I think cert.pem should move to the etc set, so you can remove >>> CAs from the file (as well as add new ones) without risk of those >>> changes getting reverted. >>> >>> Downside: CA changes will then only take effect after running >>> sysmerge. Is that a problem? >> >> I think it is. This is the same as with /etc/examples: less stuff to >> merge, less errors to happen. > > cert.pem is pretty much a required file, we can't just move it to > examples/. > For people who don't touch it, it's a simple no-touch sysmerge update. > For people who do, having sysmerge ask about merging it is a lot safer > than just overwriting. > >> I'd ask another question: why can't software use /etc/ssl/myown.pem, >> or /etc/ssl/*.pem, ever, instead of /etc/ssl/cert.pem? This will make >> "trust" and "untrust" operations as simple as possible. Noone in >> healthy mind would place junk in /etc/ssl anyway, right? > > Some software allows you to set a different certificate file; other > software doesn't. Patching everything in ports that verifies SSL certs > to allow the user to specify an alternative file would just be insane. > And of course then there's no single way to tell programs to use the > alternative file; "ftp -S cafile=/path/to/cert.pem", > "env SSL_CERT_FILE=/path/to/cert.pem lynx" > >> Or we may ship /etc/ssl/base.pem in base tgz, and install >> /etc/ssl/cert.pem -> base.pem at installation time. This way things >> will work by default, and if you need to have your own trust path, you >> just change symlink. What do you think? > > That doesn't really help. One common scenario is wanting to add a > single CA to the standard file, but otherwise pick up updates (e.g. with > sysmerge), this method doesn't allow that. >
Well I didn't expect this to take off into larger conversation... :) Work requirements aside, for personal use, I prefer to use my own CA over self signed certificates because I can manage that centrally. I don't have to tell applications to allow self-signed certs which might apply to all domains and not just my own, or respond to warnings about them. Also it's more fail-safe. If I forget to re-add my CA (or use sysmerge if we go that way) then I'll see warnings or errors I won't be expecting. I initially though cert.pem was managed by sysmerge. That would be a solution I think would work well. Tim.
