Copying Mozilla's certificate database into a PEM file to use in your OpenSSL app is a recipe for unpleasant surprises, unfortunately.
-
-
@bagder@ivanristic AFx has features (e.g. revocation push) to compensate for weaknesses in its trust database, that most apps don't have.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@BRIAN_____@bagder@ivanristic plus the CNNIC date constraint? -
@bkhowson@bagder@ivanristic Yep. There's lots of little things like that. -
@BRIAN_____@bkhowson@bagder Given that “everyone” follows the Mozilla roots, why doesn’t Mozilla provide an official export? -
@ivanristic@bkhowson@bagder Some of it is enforced in code. It's all open source. There are no standards for declarative representation. -
@BRIAN_____@ivanristic I've often wondered why roots are self-signed. Wouldn't it be easy to express these tweaks if they weren't? -
@j4cob@ivanristic No, because there isn't any standard for describing them declaratively. -
@BRIAN_____@j4cob Sounds like a project Mozilla’s Winter of Security :)
End of conversation
New conversation -
-
-
@BRIAN_____@bagder@ivanristic at a minimum, there are trust settings in the mozilla database. Some entries are explicit distrust. -
@pzb@BRIAN_____@ivanristic right, and distrust doesn't really map to a PEM -
@bagder@BRIAN_____@ivanristic I'm showing 5 things in certdata.txt without any trust set: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#31451 …, http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#4027 …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.