Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Updated Mozilla certdata inclusion?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 12 Feb 2008 13:11:45 +0100 (CET)

On Mon, 11 Feb 2008, Guenter Knauf wrote:

> Found also a useful post here:
> http://www.issociate.de/board/post/170599/updating_ca-bundle.crt.html

That's indeed a good source, as mod_ssl is BSD license and both the gentlemen
in that discussion are persons with clues and acknowledged experience in the
area.

I'm now clearly in favor of updating our bundle. I do however want to create a
document in our file tree with a proper description of the license situation
and our best-effort so that newcomers and/or Mozilla people can find it easily
if they're interested/worried. The best would of course be if we could squeeze
out an official statement from someone involved with Mozilla.

> a third option - and perhaps the best from my point of view - would be if we
> would start on collecting an own certdata db; but for that we would need to:

I think this is a major undertaking that would need some thinking through
before we'd jump into this. The biggest thing would be to ask ourselves the
question: why? Why do we need to do this ourselves if we think the Mozilla
guys are already doing a sufficiently good enough job? And even if we would
think this, why would it be related to (lib)curl? Wouldn't it just be a fresh
new team trying to gather CA certs for trusted orgs to hand out using a clear
license?

Then we'd have to set up rules and guidelines for what certificates to accept,
when they should be removed etc etc.

I'm far from convinced that I would feel like being involved in such an
effort. Not that it wouldn't be good or interesting, but simply because I
already have so much involvement in too many things that I find more
important, fun or interesting.

> - collect the 113 CAs (one is outdated, and probably not avialable anymore)
> directly from the issuers, and store the PEM + the URL from where we fetched
> it.

There's of course no guarantee that a new cacert keeping organization would
agree that all these 113 ones is to be trusted. Or perhaps it'll find 226 ones
to trust... 

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2008-02-12