On Thu, 1 Sep 2005, theo borm wrote:

> 1) licensing of the certificates:
> 1) Can be resolved relatively easily and quickly: Just ask the root
> certificate owners

I don't think obtaining the CA certs is the hard part, no.

> 2) Maintaining the chain of trust.

Here it starts getting complicated..

> 2) Is a bit more problematic, and requires a fundamental choise: Do you
> decide yourself whom to trust as a CA, or will you add any CA that wants to
> be added to your list.

I know for sure *I* cannot decide whom to trust, since I have no idea who
these companies are or if they are trustworthy. Also, the minute I start
accepting new CA certs I will get users suggesting what certs to add that they
claim are trustworthy and so on.

I could possibly ask around to see if there are users who have arguments for
or against specific companies, but that would be very random and inefficient.

[...]

> So what are we talking about - basically the forces of politics and lots of
> money at work. I symphatize with you for not wanting to become tied up too
> much in these areas.

I wouldn't mind being one member in a CA cert *team*, sorting these things
out, but I certainly have no intentions of heading such a task or team. For
the reasons you so clearly describe.

> If you want 1) to be sorted out I will gladly volunteer to send a polite
> email to the CA's listed in popular browsers and see what response I get. As
> to the second issue: my opinion (users should inform themselve) is not very
> helpfull.

If you by this mean CA certs that other browsers have but we don't provide in
our CA bundle, then I am indeed interested in getting this help.

Thanks!

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html