[guardian-dev] onionkit's ca bundle
Hans-Christoph Steiner
hans at guardianproject.info
Fri May 31 12:22:36 EDT 2013
On 05/31/2013 10:13 AM, Nathan of Guardian wrote:
> On 05/31/2013 06:00 AM, Abel Luck wrote:
>> Maintaining a ca cert bundle is a pretty big responsibility. These
>> days Google and Mozilla tend to be on top of maintaining their certs.
> I currently build it on a regular bases from Debian's set of certs:
> /etc/ssl/certs/
>
> How do you feel about that vs Google and Mozilla?
>
> The goal was to have a standardized set no matter the device you are
> running on. We have to expect wildly different trusted roots for phones
> in China and elsewhere.
I think that Debian's is a good source, but we have two questions relating to
keeping it up-to-date:
1) the cacert framework should always ship with the latest version of that
bundle (sounds like Abel has already addressed that with his pull requests)
2) the cacert framework should be able to update the cacert.bks itself.
So I propose to move all of the code for generating cacert.bks from the Debian
keystore into the cacert framework itself. Then we add the ability to poll
for updates, and to manually trigger updates.
Then we don't need to worry about updates or infrastructure, we can rely on
Debian for that.
.hc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 939 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130531/92b8dbf7/attachment.pgp>
More information about the Guardian-dev
mailing list