Understood. My main reason for telling them is that Google Chrome complains
bitterly when asked to download a http link from a page that was fetched with
https.
I hadn't noticed that yesterday because I was analyzing the problem on a Linux
VM and copy-pasted all the URLs from Chrome on my desktop to wget in the VM.
-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-boun...@openssl.org> Im Auftrag von Viktor
Dukhovni
Gesendet: Freitag, 16. September 2022 16:22
An: openssl-users@openssl.org
Betreff: Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared
to 1.0.2?.
On Fri, Sep 16, 2022 at 02:11:38PM +0000, Andrew Lynch via openssl-users wrote:
...
>
> I’ve also asked my colleagues why the download is http instead of
> https…
You should look to multiple independent sources to validate the authenticity of
a trust anchor public key. Trusting "https" to prove the validity of a WebPKI
trust anchor is a bit too circular.
Also "https" is redundant for CRL and intermediate CA distribution, since these
are signed by the issuing CA. That said, the same ".crt"
file is availabe via "https":
...
Trust anchor certificates are often delivered as an operating system "package",
and ideally the package maintainers apply proper due diligence.
--
Viktor.
