[NOTE: whatever I write below is *my* opinion.  Period]

In message <[EMAIL PROTECTED]> on Sun, 18 Aug 2002 21:32:43 -0400, 
Tom Zerucha <[EMAIL PROTECTED]> said:

tz> I don't know what the historic reasons for doing things a particular
tz> way, but I would suggest the following (in order of importance):
tz> 
tz> 1. Install the certs by default,

I'm amazed by this statement.  Are you seriously willing to give us
that kind of trust, rather than installing whatever root certs you
need yourself?  I'm personally not at all sure I want to be given that
kind of trust; I'm a developper, not a trusted certificate store
care-taker (at least in the OpenSSL arena).

Unfortunately, we've all been fooled into thinking that our software
distributors should be points of distribution for trusted root
certificates (meaning we implicitely trust Netscape Navigator/
Communicator, IE and whatnot to be truthful, even though there's no
way in the world the distributors can guarantee that), and most of us
are too lazy to deal with all of that properly.

Ultimately, it is YOUR responsability, as a user, to assure the
security of your installation, be it by doing it yourself or by
hiring someone to do it for us.

tz> or if there are nontechnical reasons not to, add something
tz> prominent to the readmes and make process so that the certs
tz> directory will be populated by the users or the distributor
tz> creators.

I personally have no real problem with writing an extra blurb on
this.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to