aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2008-02-07 15:43:36 +0000
committerDaniel Stenberg <daniel@haxx.se>2008-02-07 15:43:36 +0000
commit15bf16852705a585b694cb0d50d21f7edd6b7a88 (patch)
tree4e7a0c8b8836c3a452b1afe92cd6c3d29a5ccdb7 /lib
parent20e9fc73e2c073c49e88b72fb5e07a0bb62b6d9d (diff)
ca-bundle.crt documentational updates that more clearly describe the bundle
ca-bundle.crt file as outdated and in need for replacement by anyone who wants to verify modern peers as the one we have is from year 2000!
Diffstat (limited to 'lib')
-rw-r--r--lib/ca-bundle.crt42
1 files changed, 32 insertions, 10 deletions
diff --git a/lib/ca-bundle.crt b/lib/ca-bundle.crt
index d60b91110..6c0bec9eb 100644
--- a/lib/ca-bundle.crt
+++ b/lib/ca-bundle.crt
@@ -1,18 +1,40 @@
##
## $Id$
##
-## ca-bundle.crt -- Bundle of CA Root Certificates
-## Last Modified: Thu Mar 2 09:32:46 CET 2000
+## Last Modified: Thu Mar 2 09:32:46 CET 2000
+## (although we removed a cert from it in March 2003)
##
-## This is a bundle of X.509 certificates of public
-## Certificate Authorities (CA). These were automatically
-## extracted from Netscape Communicator 4.72's certificate database
-## (the file `cert7.db'). It contains the certificates in both
-## plain text and PEM format and therefore can be directly used
-## with an Apache+mod_ssl webserver for SSL client authentication.
-## Just configure this file as the SSLCACertificateFile.
+## This is a bundle of X.509 certificates of public Certificate Authorities
+## (CA). These were automatically extracted from Netscape Communicator 4.72's
+## certificate database (the file `cert7.db').
##
-## (SKIPME)
+## This file is to be treated as an example file these days, as it is very
+## outdated (it being last modified year 2000 should tell) and should be
+## replaced with a much more modern and up-to-date version.
+##
+## In the cURL project we've decided not to attempt to keep this file updated
+## since deciding what to add to a ca cert bundle is an undertaking we've not
+## been ready to accept.
+##
+## Today, with many services performed over HTTPS, every operating system
+## should come with a default ca cert bundle that can be deemed somewhat
+## trustworthy and that collection (if reasonably updated) should be deemed to
+## be a lot better than this old file.
+##
+## If you want the most recent collection of ca certs that Mozilla Firefox
+## uses (which should be seen as the effictive successor of Netscape 4.72 from
+## where this particular bundle originates from), we recommend that you
+## extract the collection yourself from Mozilla Firefox, or by using our
+## service setup for this purpose: http://curl.haxx.se/docs/caextract.html
+##
+## Due to the licensing of that particular file, we've decided to not simply
+## include that in the curl package/tree. It is of course arguable whether the
+## cacerts themselves actually are licensed under the Firefox's licenses but
+## until proven otherwise we will assume so and thus we avoid putting them in
+## any curl release/tarball.
+##
+## For more details on CA certs, how to use them with curl and a little about
+## what they're good for, see http://curl.haxx.se/docs/sslcerts.html
##
ABAecom (sub., Am. Bankers Assn.) Root CA