On Tue, Dec 17, 2013 at 5:01 AM, Leif W <[email protected]> wrote: > Hello, > > Many 3rd party software applications pull copies of the certdata.txt to > generate PEM files (perhaps other uses). Recently, for example, I was > looking at curl's mk-ca-bundle script, and it pulls from MXR's mozilla[1] > which is nearly a year old. >
This is better discussed on the dev-tech-crypto mailing list. You should always be able to retrieve the file over HTTPS from hg.mozilla.org. If I had to choose a version to use for a non-Firefox application, I guess I would choose one of the tagged release versions from https://hg.mozilla.org/projects/nss. However, be aware that certdata.txt is designed to be used (only) by NSS's build system. In theory the file format could change at any time and/or we could change the way NSS works so that you need additional information to construct an equivalent trust policy to NSS. Similarly, we could change how Gecko works so that it has different (probably stricter) crieria than NSS. For example, we are looking into the possibility of a short-term solution for name-constraining some root certificate(s) and AFAICT there is no way to generate a ca-bundle file that will be equivalent to the trust policy that NSS and/or Gecko would have. Consequently, I recommend that you manually review whichever certdata.txt and also look at the release notes for the version of NSS that you retrieved it from. I would consider such manual review to be necessary but still insufficient for safely using certdata.txt outside of NSS. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
