On Sat, 16 Aug 2008, Nelson B Bolyard wrote: >> curl is completely independent from browsers, and when installed in systems >> it usually uses the system-wide CA cert bundle. Of course it has command >> line options to allow the user to specify what CA bundle to use (or indeed >> other certs etc). > > Daniel, thank you for that observation. It tells me that cURL is designed > around the OpenSSL idea that the set of trusted certs is a system-wide set, > rather than a per-user set.
Well, I don't think this is a curl or any other app thing. Most people install an app and they get some default install. Even NSS users such as Firefox bring a CA cert bundle that they think the user should use. For a typical user of curl or Firefox, they have no idea who provided the ca cert bundle or if it is user-specific or system-specific. Not to mention that many systems these days are private machines so system == user. This said, curl is an app that uses libcurl and libcurl can be built to use OpenSSL, GnuTLS or NSS and we make our best to not make the choice of SSL/TLS library affect how the app is used... > Previously, someone criticized NSS, saying that it was designed for use only > on single-user systems, a criticism that I dispute. NSS is very much > oriented toward each user have his own set of trusted flags. In contrast to > NSS, the idea that there is only one system-wide set of trusted certs, and > that each user does not have his own set, is a very single-user-system > approach. Now you're putting words in my mouth. At no point did I say that any of the other libs prevents or even makes it hard to use user-speciecied certs. I don't think they do. But they do make it easy to use PEM certificates, and Linux distros these days ship CA certs in PEM format. Lots of apps use that system-wide ca cert bundle (by default), but NSS built apps do not. The NSS-apps either don't have any ca cert bundle at all or they find out which one Firefox uses and get that... (or in Fedora's case they run a patch for NSS that makes it capable of reading the system-wide PEM file) > Perhaps it is most appropriate for cURL to follow the OpenSSL system-wide > cert store model when using OpenSSL, and to follow the NSS cert store for > each user model when using NSS. Eeep. OpenSSL does not have a "system-wide cert store model" any more than NSS does afaik. Most Linux distros do however provide a system-wide ca cert bundle for all apps that can read PEM. (This does not force any user to use that bundle.) -- / daniel.haxx.se _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
