Bugs item #1889593, was opened at 2008-02-08 14:45
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1889593&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: https
Group: bad behaviour
Status: Open
>Resolution: None
Priority: 5
Private: No
Submitted By: StartCom (startcom)
Assigned to: Daniel Stenberg (bagder)
Summary: Update of ca-bundle
Initial Comment:
I'm not sure why exactly the ca-bundle shipped with curl is from the year 2000, instead various resources are invested at the web site in order to explain how to get the ca-bundle updated. Would it be possible to ship this one instead with the default download?
http://curl.haxx.se/ca/cacert.pem
This file is about double the size compared to the one with the curl archive, meaning that most users of curl will have to update the ca-bundle in order to play nice. This is perhaps an unneeded step and confusing for many others which rely on shared hosting with no access to the relevant files.
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Date: 2008-02-12 13:17
Message:
Logged In: YES
user_id=1110
Originator: NO
The discussion thread on curl-library can be found here:
http://curl.haxx.se/mail/lib-2008-02/0033.html
seeing this[1] post regarding this very same issue in the mod_ssl project,
it feels like it is about time we got someone on the Mozilla side of things
to publicly acknowledge that the current practice is accepted.
As I wrote in the thread referred to above, I'm in favor of including the
bundle now but I would like to get the license situation as clear as
possible so that users of this will know and understand how things are.
I've come to think of the fact that the file may be triplet licensed, but
since nothing is linking with it, not extending it or building upon it (it
is simply loaded into another program) it may even be so that the license
won't be much of a problem to anyone (I mean even closed-source users or
users of incompatible licenses) as long as they don't modify the cacert
file obtained this way.
[1] =
http://www.issociate.de/board/post/170599/updating_ca-bundle.crt.html
----------------------------------------------------------------------
Comment By: StartCom (startcom)
Date: 2008-02-10 00:29
Message:
Logged In: YES
user_id=1078132
Originator: YES
The position taken by Mozilla concerning the certdate.txt is, that it's in
a Grey area or undefined. Legally the root certificates belong to the CAs
and are not the copyright of Mozilla. An extracted file derived from
certdata.txt which could be otherwise obtained by simply exporting (backup)
all CA certificates from the Firefox (NSS module) store, shouldn't be bound
to the Mozilla licenses, because they don't belong to Mozilla in first
place. It was also noted that no CA has complained in the past to have its
root included in products derived from Mozilla and/or making use of the NSS
module, hence it should be save to make use of the CA roots in question.
Since this is also the experience made with the current ca-bundle in cURL,
which was extracted from Netscape 4.7 (same source btw), I'd suggest to
update the ca-bundle in this fashion (extract from certdata.txt without
making any use otherwise of this file). Also note that various other
vendors do exactly the same, in particular the Debian and Red Hat
distributions. Also I'd like to mention that the cURL site makes a
ca-bundle derived from certdata.txt already today available for download
and there might be no difference in that respect (by including the bundle
into the sources).
Hope this helps. Please tell me if you need more information or if to join
a particular mailing list.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-02-08 22:25
Message:
Logged In: YES
user_id=1110
Originator: NO
Thanks for helping out on this issue.
Regarding the current ca-bundle, the license of that is of course very
vague and unclear but that's already in, used and done (and also very old
and thus has been around for ages without anyone having complained or
raised this as in issue) and I don't think replacing it with one that has a
known license issue is a good option.
Also, see 'make ca-bundle' in the current CVS code, which gets and builds
a fresh cert bundle on demand.
----------------------------------------------------------------------
Comment By: StartCom (startcom)
Date: 2008-02-08 20:34
Message:
Logged In: YES
user_id=1078132
Originator: YES
Excellent! I'll discuss that over at Mozilla and come back to you
hopefully with an acceptable solution. Please leave the bug open for now
until then. Thanks.
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2008-02-08 20:07
Message:
Logged In: YES
user_id=236775
Originator: NO
IINAL, but the Mozilla Foundation is within their rights to assert a
compilation copyright on their CA bundle, which apparently they have done.
Since curl is distributed under a MIT/X derivate license, a license
compatible with that one would be best. But I'm not the one the make the
call--please bring your offer to one of the curl mailing lists where it can
be discussed. Thank-you!
----------------------------------------------------------------------
Comment By: StartCom (startcom)
Date: 2008-02-08 19:54
Message:
Logged In: YES
user_id=1078132
Originator: YES
I was reading the other bugs. I can help straiten this out since I'm also
involved at Mozilla and/or could use other sources instead. First of all,
under which license did you obtain the current ca-bundle from Netscape?
Which license would you prefer (if at all).
CA certificates usually belong to the CAs and not to any party. Except a
few restricted ones, all CA certificates currently in use are published by
the CAs for consumption, hence I don't see a particular problem. If we can
solve the license issue you mentioned concerning Mozilla you could include
the extract tool into the build system, not requiring you to maintain the
ca-bundle at all.
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2008-02-08 19:31
Message:
Logged In: YES
user_id=236775
Originator: NO
Duplicate of bug #1706732 and #1884844
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1889593&group_id=976
Received on 2008-02-12