Hi,
>> a third option - and perhaps the best from my point of view - would be if we
>> would start on collecting an own certdata db; but for that we would need to:

> I think this is a major undertaking that would need some thinking through
> before we'd jump into this. The biggest thing would be to ask ourselves the
> question: why? Why do we need to do this ourselves if we think the Mozilla
> guys are already doing a sufficiently good enough job? And even if we
> would think this, why would it be related to (lib)curl?
it isnt, and as I said 'this should be a separate project'.

> Wouldn't it just be a fresh new team trying to gather CA certs
> for trusted orgs to hand out using a clear license?
yup.

> Then we'd have to set up rules and guidelines for what certificates to
> accept, when they should be removed etc etc.

> I'm far from convinced that I would feel like being involved in such an
> effort. Not that it wouldn't be good or interesting, but simply because I
> already have so much involvement in too many things that I find more
> important, fun or interesting.
I'm 100% in sync with your oppinion here - I only wanted to mention this as option.

BTW. I will probably also put mk-ca-bundle.pl into httpd sources, and just
got some reply from a Mandriva dev who does import certdata.txt into their SVN;
just as Yang suggested:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/rootcerts/current/SOURCES/
http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%3c200802121904.37211.oeriksson@mandriva.com%3e

Guen.
Received on 2008-02-12