cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Updated Mozilla certdata inclusion?

From: Guenter Knauf <eflash_at_gmx.net>
Date: Mon, 11 Feb 2008 19:18:37 +0100

Hi,
> Check into lib/curl's CVS and track the original and unmodified
> certdata.txt file
> http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certd
> ata.txt?raw=1
-1.

> In that way there would be absolutely no doubt that the license that
> applies to that file is the Mozilla triple license, and that lib/curl
> simply passes/distributes it along with absolutely no change at all.
There's either no doubt about the licence with the converted ca-bundle.crt since mk-ca-bundle.pl copies the whole 'licence block' into the newly created ca-bundle.crt.

> In both cases the question which arises is...

> Would the generated ca-bundle.crt still be subject to the Mozilla
> triple license or could it just be lib/curl licensed ? I could argue
> both ways, I have no clear answer.
well, the point is that the one we currently ship is most likely under the same licence;
so from licence view it probably doesnt matter at all if we ship the old one, or a new one.

Found also a useful post here:
http://www.issociate.de/board/post/170599/updating_ca-bundle.crt.html

a third option - and perhaps the best from my point of view - would be if we would start on collecting an own certdata db; but for that we would need to:
- collect the 113 CAs (one is outdated, and probably not avialable anymore) directly from the issuers, and store the PEM + the URL from where we fetched it.
- think of a proper format; a plain text file would do for this purpose (but I would though prefer mysql)

see also:
http://www.pki-page.org/

However this would need some volunteers working on it....; and it should be an own project.

Guen.
Received on 2008-02-11