On Sat, 2 Jul 2016, Vinayak Tanksale wrote:

> How do we know that we need to download a new one?

There's no good answer to that. The cacert file is a list of signatures of the
CAs you and your app trust. How often does that change? The file you decide to
depend on is updated by mozilla (and then my script) so you need to decide
yourself how to act when it changes.

There's no right or wrong here, you just have to decide how to deal with it.

> We have an app that uses cacert.pem and if a new one is issued then the app
> stops functioning.

That is most likely incorrect. The new cacert bundle will be mostly identical
to the old one, with a few added and few removed so only a subset of all
certificates in the world will get a different treatment.

Remember how large parts of the internet don't update their cacert equivalents
more than once every few years so it is quite natural that changes in the
trust store as well as which CAs are used on the Internet will move slowly.

> We would ideally want as much less downtime as possible. We are downloading
> the file once a day via a script but if there was a way to know when a new
> cacert had been posted then we can download it right away without waiting
> for our script to run.

Then you should probably monitor the mozilla hg repo that hosts the original
file and trigger building a new cacert once that updates instead of relying on
the curl.haxx.se service that may take up to almost 24 hours until an update
shows up, and then your update script may be unaligned with that so it could
add almost another 24 hours if you're unlucky.

But I think you're overdoing this. I think you can survive fine with getting
an update every once in a while.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html