From 15bf16852705a585b694cb0d50d21f7edd6b7a88 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 7 Feb 2008 15:43:36 +0000 Subject: ca-bundle.crt documentational updates that more clearly describe the bundle ca-bundle.crt file as outdated and in need for replacement by anyone who wants to verify modern peers as the one we have is from year 2000! --- docs/FAQ | 33 +++++++++++++++++++++++++++++++-- lib/ca-bundle.crt | 42 ++++++++++++++++++++++++++++++++---------- 2 files changed, 63 insertions(+), 12 deletions(-) diff --git a/docs/FAQ b/docs/FAQ index 66c926de9..36a6791fe 100644 --- a/docs/FAQ +++ b/docs/FAQ @@ -1,4 +1,4 @@ -Updated: Dec 10, 2007 (http://curl.haxx.se/docs/faq.html) +Updated: Feb 7, 2008 (http://curl.haxx.se/docs/faq.html) _ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | @@ -18,6 +18,7 @@ FAQ 1.8 I have a problem who do I mail? 1.9 Where do I buy commercial support for curl? 1.10 How many are using curl? + 1.11 Why don't you update ca-bundle.crt 2. Install Related Problems 2.1 configure doesn't find OpenSSL even when it is installed @@ -296,7 +297,7 @@ FAQ as used by numerous applications that include libcurl binaries in their distribution packages (like Adobe Acrobat Reader and Google Earth). - More than 70 known named companies use curl in commercial environments and + More than 80 known named companies use curl in commercial environments and products. More than 100 known named open source projects depend on (lib)curl. @@ -317,6 +318,34 @@ FAQ http://counter.li.org/estimates.php http://news.netcraft.com/archives/2005/03/14/fedora_makes_rapid_progress.html + 1.11 Why don't you update ca-bundle.crt + + The ca-bundle.crt file is to be treated as an example file these days, as it + is very outdated (it being last modified year 2000 should tell) and should + be replaced with a much more modern and up-to-date version by anyone who + wants to verify peers. + + In the cURL project we've decided not to attempt to keep this file updated + since deciding what to add to a ca cert bundle is an undertaking we've not + been ready to accept. + + Today, with many services performed over HTTPS, every operating system + should come with a default ca cert bundle that can be deemed somewhat + trustworthy and that collection (if reasonably updated) should be deemed to + be a lot better than this old file. + + If you want the most recent collection of ca certs that Mozilla Firefox uses + (which should be seen as the effictive successor of Netscape 4.72 from where + this particular bundle originates from), we recommend that you extract the + collection yourself from Mozilla Firefox, or by using our service setup for + this purpose: http://curl.haxx.se/docs/caextract.html + + Due to the licensing of that particular file, we've decided to not simply + include that in the curl package/tree. It is of course arguable whether the + cacerts themselves actually are licensed under the Firefox's licenses but + until proven otherwise we will assume so and thus we avoid putting them in + any curl release/tarball. + 2. Install Related Problems diff --git a/lib/ca-bundle.crt b/lib/ca-bundle.crt index d60b91110..6c0bec9eb 100644 --- a/lib/ca-bundle.crt +++ b/lib/ca-bundle.crt @@ -1,18 +1,40 @@ ## ## $Id$ ## -## ca-bundle.crt -- Bundle of CA Root Certificates -## Last Modified: Thu Mar 2 09:32:46 CET 2000 +## Last Modified: Thu Mar 2 09:32:46 CET 2000 +## (although we removed a cert from it in March 2003) ## -## This is a bundle of X.509 certificates of public -## Certificate Authorities (CA). These were automatically -## extracted from Netscape Communicator 4.72's certificate database -## (the file `cert7.db'). It contains the certificates in both -## plain text and PEM format and therefore can be directly used -## with an Apache+mod_ssl webserver for SSL client authentication. -## Just configure this file as the SSLCACertificateFile. +## This is a bundle of X.509 certificates of public Certificate Authorities +## (CA). These were automatically extracted from Netscape Communicator 4.72's +## certificate database (the file `cert7.db'). ## -## (SKIPME) +## This file is to be treated as an example file these days, as it is very +## outdated (it being last modified year 2000 should tell) and should be +## replaced with a much more modern and up-to-date version. +## +## In the cURL project we've decided not to attempt to keep this file updated +## since deciding what to add to a ca cert bundle is an undertaking we've not +## been ready to accept. +## +## Today, with many services performed over HTTPS, every operating system +## should come with a default ca cert bundle that can be deemed somewhat +## trustworthy and that collection (if reasonably updated) should be deemed to +## be a lot better than this old file. +## +## If you want the most recent collection of ca certs that Mozilla Firefox +## uses (which should be seen as the effictive successor of Netscape 4.72 from +## where this particular bundle originates from), we recommend that you +## extract the collection yourself from Mozilla Firefox, or by using our +## service setup for this purpose: http://curl.haxx.se/docs/caextract.html +## +## Due to the licensing of that particular file, we've decided to not simply +## include that in the curl package/tree. It is of course arguable whether the +## cacerts themselves actually are licensed under the Firefox's licenses but +## until proven otherwise we will assume so and thus we avoid putting them in +## any curl release/tarball. +## +## For more details on CA certs, how to use them with curl and a little about +## what they're good for, see http://curl.haxx.se/docs/sslcerts.html ## ABAecom (sub., Am. Bankers Assn.) Root CA -- cgit v1.2.3