[Dev] What root certificates to ship with Chandler?

[Mark Franklin]

I agree that using Mozilla's list is a good starting point.  It is 
possible to export root certificates from Internet Explorer, so you have 
an easy way to include any of the MS approved root certificates if you 
wish.  Some institutions (like Dartmouth) have their own self-signed CA 
and will appreciate a way to add their own root certificates to the 
store.  This will also be important to people wishing to incorporate new 
commercial root certificates without needing to wait for OSAF to add 
them.  Also important is the ability for the user or institution to 
remove certificates from the store if they decide they don't want to 
trust them any more.  For example, one might not want trust the CA that 
issued SSL certificates to the infamous marketscore.com.  A truly 
cautious user might want to remove all root certificates from the 
trusted store and only add root and users certificates for trust one at 
a time as needed.

Mark

Jeffrey Harris wrote:

> +1 for using Mozilla's root certificate list.  I trust Mozilla to do a
> good job, I don't see a need to reinvent that wheel.
>
> At some future date I can imagine volunteers or OSAF staff writing
> platform specific patches to use a platform's existing certificate list,
> that seems like something we could wait a long time to implement without
> any significant problem.
>
> Sincerely,
> Jeffrey
>
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>
> Open Source Applications Foundation "Dev" mailing list
> http://lists.osafoundation.org/mailman/listinfo/dev