On Sat, 2 Jul 2016, Vinayak Tanksale wrote:
How do we know that we need to download a new one?
There's no good answer to that. The cacert file is a list of signatures of the CAs you and your app trust. How often does that change? The file you decide to depend on is updated by mozilla (and then my script) so you need to decide yourself how to act when it changes.
There's no right or wrong here, you just have to decide how to deal with it.
We have an app that uses cacert.pem and if a new one is issued then the app stops functioning.
That is most likely incorrect. The new cacert bundle will be mostly identical to the old one, with a few added and few removed so only a subset of all certificates in the world will get a different treatment.
Remember how large parts of the internet don't update their cacert equivalents more than once every few years so it is quite natural that changes in the trust store as well as which CAs are used on the Internet will move slowly.
We would ideally want as much less downtime as possible. We are downloading the file once a day via a script but if there was a way to know when a new cacert had been posted then we can download it right away without waiting for our script to run.
Then you should probably monitor the mozilla hg repo that hosts the original file and trigger building a new cacert once that updates instead of relying on the curl.haxx.se service that may take up to almost 24 hours until an update shows up, and then your update script may be unaligned with that so it could add almost another 24 hours if you're unlucky.
But I think you're overdoing this. I think you can survive fine with getting an update every once in a while.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
