Bugs item #1889593, was opened at 2008-02-08 14:45
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1889593&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: https
Group: bad behaviour
Status: Open
Resolution: Duplicate
Priority: 5
Private: No
Submitted By: StartCom (startcom)
Assigned to: Daniel Stenberg (bagder)
Summary: Update of ca-bundle

Initial Comment:
I'm not sure why exactly the ca-bundle shipped with curl is from the year 2000, instead various resources are invested at the web site in order to explain how to get the ca-bundle updated. Would it be possible to ship this one instead with the default download?

http://curl.haxx.se/ca/cacert.pem

This file is about double the size compared to the one with the curl archive, meaning that most users of curl will have to update the ca-bundle in order to play nice. This is perhaps an unneeded step and confusing for many others which rely on shared hosting with no access to the relevant files.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2008-02-08 22:25

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks for helping out on this issue.

Regarding the current ca-bundle, the license of that is of course very
vague and unclear but that's already in, used and done (and also very old
and thus has been around for ages without anyone having complained or
raised this as in issue) and I don't think replacing it with one that has a
known license issue is a good option.

Also, see 'make ca-bundle' in the current CVS code, which gets and builds
a fresh cert bundle on demand.

----------------------------------------------------------------------

Comment By: StartCom (startcom)
Date: 2008-02-08 20:34

Message:
Logged In: YES
user_id=1078132
Originator: YES

Excellent! I'll discuss that over at Mozilla and come back to you
hopefully with an acceptable solution. Please leave the bug open for now
until then. Thanks.

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2008-02-08 20:07

Message:
Logged In: YES
user_id=236775
Originator: NO

IINAL, but the Mozilla Foundation is within their rights to assert a
compilation copyright on their CA bundle, which apparently they have done.
Since curl is distributed under a MIT/X derivate license, a license
compatible with that one would be best. But I'm not the one the make the
call--please bring your offer to one of the curl mailing lists where it can
be discussed. Thank-you!

----------------------------------------------------------------------

Comment By: StartCom (startcom)
Date: 2008-02-08 19:54

Message:
Logged In: YES
user_id=1078132
Originator: YES

I was reading the other bugs. I can help straiten this out since I'm also
involved at Mozilla and/or could use other sources instead. First of all,
under which license did you obtain the current ca-bundle from Netscape?
Which license would you prefer (if at all).

CA certificates usually belong to the CAs and not to any party. Except a
few restricted ones, all CA certificates currently in use are published by
the CAs for consumption, hence I don't see a particular problem. If we can
solve the license issue you mentioned concerning Mozilla you could include
the extract tool into the build system, not requiring you to maintain the
ca-bundle at all.

----------------------------------------------------------------------

Comment By: Dan Fandrich (dfandrich)
Date: 2008-02-08 19:31

Message:
Logged In: YES
user_id=236775
Originator: NO

Duplicate of bug #1706732 and #1884844

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1889593&group_id=976
Received on 2008-02-08