On Wednesday, 28 January 2015, at 5:19 pm, Giuseppe Mazzotta wrote: > On 28-01-15 16:42, Mike Hearn wrote: > > Just as a reminder, there is no obligation to use the OS root > > store. You can (and quite possibly should) take a snapshot of the > > Mozilla/Apple/MSFT etc stores and load it in your app. We do this > > in bitcoinj by default to avoid cases where BIP70 requests work on > > some platforms and not others, although the developer can easily > > override this and use the OS root store instead. > > > Except that Mozilla/Apple/MSFT will update these certificate stores - > second their policies - and your snapshot/collection might get > outdated at a different pace than the OS-provided certificates, > depending on how you (or the package maintainer) are rolling out updates.
I'm frankly _horrified_ to learn that BitcoinJ ships its own root CA certificates bundle. This means that, if a root CA gets breached and a certificate gets revoked, all BitcoinJ-using software will be vulnerable until BitcoinJ ships an update *and* the software in question pulls in the new BitcoinJ update and releases its own update. That might never happen. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
