cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?

From: Leif W <warp9pnt9_at_gmail.com>
Date: Mon, 16 Dec 2013 05:46:59 -0500

On 2013-12-16 03:36, Daniel Stenberg wrote:
> On Sun, 15 Dec 2013, Leif W wrote:
>
> Thanks a lot for your contribution!
>
>> So, if the intended purpose is to have an updated list of trusted
>> certificates, what is the better choice, and why?
>
> That's a very good question. Let me answer it and then tell you how I
> think we should proceed:

Glad I was able to ask a decent question, thanks!

> I don't think we've done a lot of research into exactly which single
> source tree and therefore which certdata.txt to use for this script.
> This more or less "happened" and has proved to work - additional
> scrutiny and eyes on the code exactly like you're helping with here is
> what we need to drive us into taking a more active and intelligent
> decision.
>
>> To me it would seem that a 1 year old list may not be the best
>> default choice. The current browser release or the Aurora channel
>> (pre-Beta) would seem to be the most recent, and presumably kept in
>> sync in the nss tree.

Also note, I only did a very cursory and not entirely thorough search,
nor did I go so far as to seek a more authoritative answer directly from
Mozilla devs about which they consider as the best option in terms of
balancing most recent and most correct (allow a little version buffer in
case of mistakes/typos in a frequently updated file).

> I would suggest we do two things:
>
> 1 - we pick "current browser release" as the default set to use

That sounds reasonable.

The current default (mozilla) had 144 CA certs processed, 33 untrusted
skipped.
The nss file had 150 CA certs processed, 37 untrusted skipped.
The mozilla-release file had 149 CA certs processed, 36 untrusted skipped.
The mozilla-aurora file was identical to nss tree, except for time stamp.

>
> 2 - we introduce a new command line option for the script that allows
> users to easier select to get the bundle from other trees, such as the
> aurora, central or incoming repos.
>
> How does that sound? You up to helping us make this happen?
>

I was thinking along those lines, but was not sure of the best way to
handle it. Maybe the option can take the 4 short names mentioned
(mozilla, mozilla-release, nss, mozilla-aurora) with the url's in an
array/hash, and otherwise takes a URL to the certdata.txt file we want?

I think I am familiar enough with perl, VBS, and PHP to make that
happen, whatever other languages the mk-ca-bundle are, I am sure I could
figure out enough of their syntax to make such a change. The code may
not be the most elegant. :)

Just let me know if you or anyone else has a better idea about how to
set up the option. What will offer both the most ease of use, power and
flexibility.

Leif

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-12-16