[Dev] What root certificates to ship with Chandler?
Mark.J.Franklin at Dartmouth.EDU
Mon Nov 8 18:13:19 PST 2004
I agree that using Mozilla's list is a good starting point. It is
possible to export root certificates from Internet Explorer, so you have
an easy way to include any of the MS approved root certificates if you
wish. Some institutions (like Dartmouth) have their own self-signed CA
and will appreciate a way to add their own root certificates to the
store. This will also be important to people wishing to incorporate new
commercial root certificates without needing to wait for OSAF to add
them. Also important is the ability for the user or institution to
remove certificates from the store if they decide they don't want to
trust them any more. For example, one might not want trust the CA that
issued SSL certificates to the infamous marketscore.com. A truly
cautious user might want to remove all root certificates from the
trusted store and only add root and users certificates for trust one at
a time as needed.
Jeffrey Harris wrote:
> +1 for using Mozilla's root certificate list. I trust Mozilla to do a
> good job, I don't see a need to reinvent that wheel.
> At some future date I can imagine volunteers or OSAF staff writing
> platform specific patches to use a platform's existing certificate list,
> that seems like something we could wait a long time to implement without
> any significant problem.
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> Open Source Applications Foundation "Dev" mailing list
More information about the Dev