Dan Fandrich wrote:

>
>Surely, other public projects have encountered exactly the same problem
>and have solved them somehow. It seems to me that effort spent now
>in solving this problem would be most efficiently spent in investigating
>one of those projects (whether Mozilla or others) with a reasonable
>philosophy of cert inclusion (including the licensing issues), and simply
>reusing their bundle. Effort spent up front in this would, if successful,
>save lots of ongoing effort in adding and updating certs.
>
>
I had no other approach in mind. However, you cannot simply reuse MS's or
Mozilla's certificate bundle; the certificates are licensed to these
"companies"
on specific terms, which may cover re-distributing these certificates
bundled
with software under a particular (i.e. Mozilla) license, but I'm pretty
certain
that somewhere in small print there will be an exclusion of the right to
redistribute certificates bundled with other software.

These other popular projects /are/ however good starting points because I
guess they have done at least some homework with regards to trust.

B.T.W. some of these licenses make interesting reading material....
for instance, If I would have accepted the terms, I would not even be
allowed to reproduce thawte's root certificate licence here:

<quote>
"Confidential Information" means this Agreement, the root private \
keys corresponding to the public key in a Root Certificate......
</quote

.. or would I...

<quote>
"except for information that: (i) is public knowledge at the time of
disclosure, (ii) was known by the receiving party before disclosure by
the disclosing party....
</quote>

ghee... twisted minds, these lawyers

http://www.thawte.com/roots/index.html

I'm starting to be less confident that I want to enter this hornets' nest.

regards, Theo
Received on 2005-09-02