On Sat, Dec 20, 2014 at 02:29:44PM +0000, Dr. Stephen Henson wrote: > On Fri, Dec 19, 2014, Sean Leonard wrote: > > > > > On Dec 19, 2014, at 11:35 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > > > > On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote: > > >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > > >> > > >>> Does OpenSSL have documented someplace exactly what it means to have a > > >>> "TRUSTED CERTIFICATE"? > > >> > > >> It is a certificate + auxiliary data which specifies a friendly name > > >> plus a set of EKUs. > > > > > > Mozilla provides a list of root certificates and that includes at > > > least the trust settings for that certificate. > > > > What exactly is the Mozilla (NSS) format? How does it differ from the > > OpenSSL format? > > > > The last time I checked NSS stored the trust data in a database (Berkeley DB) > and the trust attributes could be accessed via PKCS#11. I'm not aware of any > way to export the certificates to a file which retains the trust settings. > > I'm not aware of any standard for trust settings. There certainly wasn't > one when this was added to OpenSSL.
The source is actually a text file you can see here: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt As far as I know they turn the file into a database, not the other way around. Kurt _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev