cURL / Mailing Lists / curl-users / Single Mail

curl-users

Which version of certdata.txt is preferred for mk-ca-bundle, and why?

From: Leif W <warp9pnt9_at_gmail.com>
Date: Sun, 15 Dec 2013 19:56:32 -0500

Thank you to the developers and contributors for this wonderful software
and informational resource.

It's been a while since I updated my cacert.pem manually. So I was
looking at the process again.

The mk-ca-bundle scripts use this url:

http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
Last-Modified: Sat, 29 Dec 2012 20:03:40 GMT
Size: 1,306,494 bytes

However, I was poking around the same site, and found a newer version.

http://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1
Last-Modified: Thu, 05 Dec 2013 09:58:06 GMT
Size: 1,571,146 bytes

Which is almost a full year newer, ~260kb larger, with many additions
and comments.

Would then, this not be a better choice, with more updated information?
Or is there a specific reason to use the other version? Is it because
the "mozilla" tree is considered the currently released version of the
browser?

Then there's the mozilla-release tree, which is the same day, ~20
minutes earlier than the nss tree, but smaller file size that the nss
tree, yet still about ~80 kb larger than the certdata.txt found in the
mozilla tree.

http://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
Last-Modified: Thu, 05 Dec 2013 09:40:49 GMT
Size: 1,387,627 bytes

Finally, there's mozilla-aurora, which I would presume is the most up to
date source, which is again ~6 minutes younger, than mozilla-release,
yet same file size and in fact binary identical to the nss tree listed
above. But will that always be the case at any given moment?

http://mxr.mozilla.org/mozilla-aurora/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
Last-Modified: Thu, 05 Dec 2013 09:34:03 GMT
Size: 1,571,146

So, if the intended purpose is to have an updated list of trusted
certificates, what is the better choice, and why? To me it would seem
that a 1 year old list may not be the best default choice. The current
browser release or the Aurora channel (pre-Beta) would seem to be the
most recent, and presumably kept in sync in the nss tree.

If this is not the case, then what is the rationale for using stale data
in a security context?

Regards,

Leif

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-12-16

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"
Previous message: Alex Bligh: "Making curl not use default certificates"
Next in thread: Daniel Stenberg: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"
Reply: Daniel Stenberg: "Re: Which version of certdata.txt is preferred for mk-ca-bundle, and why?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]