On Mon, 27 Oct 2014, Leif W wrote:

> The default -p option is as if SERVER_AUTH:TRUSTED_DELEGATOR was specified,
> and the Amazon certs mentioned are excluded from the cacert.pem.
>
> I got ALL:ALL to include the certs, as well as SERVER_AUTH:MUST_VERIFY_TRUST
> and SERVER_AUTH:TRUSTED,MUST_VERIFY_TRUST.
>
> However, SERVER_AUTH:TRUSTED_DELEGATOR and optionally MUST_VERIFY_TRUST or
> TRUSTED or BOTH exclude the Amazon cert.

Ah, nice find thanks a lot! Then I guess it was exactly that the properties
were changed on those particular certificates that then made the default
script setup exclude them from the PEM version.

I find it a bit strange that we have to set "MUST_VERIFY_TRUST" to get the
certs that apparently Firefox uses. But I do think that this is reason to
reconsider what the default -p option should be set to!

> A better explanation of the trust purpose(s) and level(s) may be more
> helpful, and setting defaults that are well justified if they break any
> compatibility, or updating the script invocation that (automatically?)
> generates the cacert.pem on site.

Here's the only documentation I know of:

http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html