On 2013-12-17 13:08, Leif W wrote:
> It bugged me, not knowing what the folks over at Mozilla would
> suggest, so I asked. :) Waiting for reply.

Ah well, it seems of course I'm/we're doing everything wrong, in terms
of security.

Summary (as best I understand it):

0) I asked question on wrong list.
1) Pulling from http versus https (chicken and egg problem?).
2) Not pulling from Mercurial,
     (although any release repository should be recent enough,
mozilla-central was advised).
3) Pulling from Mercurial tip (may still be volatile).
4) Not using most recent Release tag in Mercurial (NSS or mozilla-central).
5) Not checking version in header and not caching metadata results,
     (Mozilla's Mercurial provides NO Last-Modified header).
6) Not manually reviewing all of a certdata.txt AND the release notes,
     (BEFORE using it for anything).
7) Not bundling certdata.txt in cURL to avoid chicken/egg/trust/review
issues.
8) Using certdata.txt outside of Mozilla projects,
     (as file format may change at any time without notice).
9) Changes to make NSS and/or Gecko use stricter criteria,
     for which there's no way to generate an equivalent ca-bundle.
10) Though necessary, manual review still deemed insufficient for safe use.
     (I have no idea what to look for, and no specifics given about how
to use safely).
     (Also implies that eyeballs are required to continuously maintain
imports).
11) In general, not being responsible or security conscious.
12) Searching in correct list, I found Daniel's conversation asking
related questions,
     (But not this level of detailed response).

So we've come full circle now! Ah! :) So much for the initial idea to
just change URL and be happy. Any simple question that generates such a
response must have been very good to ask, after all. :D Now what shall
we do about it?

I'm a passer by willing to help tweak a script, but am not really
experienced or qualified to speak on behalf of or make decisions for
cURL when interacting with Mozilla. However, I've done my best to learn
and gather details about related issues and concerns.

For the moment, I would be inclined to ask more questions (this time on
the right list), and see if a more formal definition or guideline or
policy or howto, etc., of proper, responsible handling of generating a
ca-bundle from Mozilla sources could be generated, for 3rd parties to
follow. Or ideally, perhaps if they could provide ALL the CA
information, including the potentially more strict critera of other
packages, to be defined in a central location suitable for use by 3rd
parties. Somehow I think they would not welcome such request.

Or if another method needs to be used, info gotten elsewhere from
another project, etc. Otherwise, it should be made clear that there are
risks using the mk-ca-bundle script as is.

The db2pem shell script is handy, if you're a Firefox user on a *nix
system. That maybe could be adapted to a more portable language (Perl
and/or PHP?).

-- 
Leif
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html