[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] cert bundle sources
|
From: |
Thorsten Glaser |
|
Subject: |
Re: [Lynx-dev] cert bundle sources |
|
Date: |
Sat, 21 Mar 2009 19:06:00 +0000 (UTC) |
Stefan Caunter dixit:
>Going through the procedure for exporting certs from IE it seems that
>IE (and FF) export only one DER formatted cert at a time from Windows.
Opera too, but ISTR they did export PEM.
I tried to bundle all of them (except expired or invalid ones),
except for Bloatzilla it was easier to use their certstore source
file (and, in turn, patch the Firetapir port to MirBSD with our
own bundle).
The last MSIE export I did was IE 5.5 / Win2kSP2, I think.
For FF, it was much more recent, end of last year's CAs or
so, same for Opera (9.6x), curl, sendmail. They all do not
list many CAs others do not.
As for high/low trust CAs: the "export" certificates have
long gone, and as of 2009, all "known" CAs stopped using MD5
in newly issued certificates, so I think we're relatively
safe. Of course, one cannot be sure 100%, especially conside-
ring the (mostly unencrypted) ways we actually get the certi-
ficates, but... better than nothing, isn't it?
Which is why I had the known_hosts alike idea.
bye,
//mirabilos
--
“It is inappropriate to require that a time represented as
seconds since the Epoch precisely represent the number of
seconds between the referenced time and the Epoch.”
-- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2