Trusted CA pack

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Trusted CA pack

Warrick FitzGerald-2
Is there somewhere that you can download a package of all currently
"trusted" CA's. I know this is a very broad question, as who defines who
the trusted ones are.

I was just thinking that since vendors like $MS have a list of standard
trusted CA's, that the OpenSource community would have something similar.

Does such a list \ pack exist, or do you need to hand pick your trusted
CA's?

Thanks
Warrick

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA pack

Heikki Toivonen
Warrick FitzGerald wrote:
> Is there somewhere that you can download a package of all currently
> "trusted" CA's. I know this is a very broad question, as who defines who
> the trusted ones are.

Mozilla has a pretty good policy on CA certs IMO, and they obviously
ship ip with Mozilla products. It's in a format that is not compatible
with OpenSSL, but the CURL people have made a conversion tool and
provide already converted Mozilla CA list. See
http://curl.haxx.se/docs/caextract.html

See Mozilla policy here: http://www.hecker.org/mozilla/ca-certificate-policy

--
  Heikki Toivonen


signature.asc (261 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA pack

Olaf Gellert
In reply to this post by Warrick FitzGerald-2
Warrick FitzGerald wrote:
> Is there somewhere that you can download a package of all currently
> "trusted" CA's. I know this is a very broad question, as who defines who
> the trusted ones are.
>
> I was just thinking that since vendors like $MS have a list of standard
> trusted CA's, that the OpenSource community would have something similar.
>
> Does such a list \ pack exist, or do you need to hand pick your trusted
> CA's?

There are some different flavours of such a list. As it
merely depends on money to get a CA certificate included
in the MS applications (even after switching to the
Webtrust scheme), the OpenSource community is working
on their own processes.

There are some attempts to bundle CA certificates made
by different communities. For example there is a collection
of the CA certificates of the European research networks
(http://www.tacar.org/) and there is the European Bridge
CA (http://www.bridge-ca.org/).

I am always keen to learn about other attempts to
solve the problem of root certificate distribution.

Cheers, Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [hidden email]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Trusted CA pack

gordey (Bugzilla)
In reply to this post by Warrick FitzGerald-2
Joe Orton, from the mod_ssl list, submitted this perl script.

His original post:
http://www.mail-archive.com/modssl-users@.../msg16980.html

Works Great!

#!/usr/bin/perl -w
#
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
# Run as ./mkcabundle.pl > ca-bundle.crt
#

my $cvsroot = ':pserver:[EMAIL PROTECTED]:/cvsroot';
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';

open(IN, "cvs -d $cvsroot co -p $certdata|")
    || die "could not check out certdata.txt";

my $incert = 0;

print<<EOH;
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: $certdata
#
EOH

while (<IN>) {
    if (/^CKA_VALUE MULTILINE_OCTAL/) {
        $incert = 1;
        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
            || die "could not pipe to openssl x509";
    } elsif (/^END/ && $incert) {
        close(OUT);
        $incert = 0;
        print "\n\n";
    } elsif ($incert) {
        my @bs = split(/\\/);
        foreach my $b (@bs) {
            chomp $b;
            printf(OUT "%c", oct($b)) unless $b eq '';
        }
    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
        print "# Generated from certdata.txt RCS revision $1\n#\n";
    }
}

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Warrick FitzGerald
Sent: Wednesday, November 09, 2005 9:22 PM
To: [hidden email]
Subject: Trusted CA pack

Is there somewhere that you can download a package of all currently
"trusted" CA's. I know this is a very broad question, as who defines who
the trusted ones are.

I was just thinking that since vendors like $MS have a list of standard
trusted CA's, that the OpenSource community would have something similar.

Does such a list \ pack exist, or do you need to hand pick your trusted
CA's?

Thanks
Warrick

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]