Re: [FORGED] Re: Machine- and human-readable format for root store information?
To be clear: I don't care what format the certificates are released in, I am primarily interested in a reliable URL to download for each root store. I personally will be converting them to OpenSSL-style PEM-encoded-DER to be used with common X.509 libraries. I suspect others will also be interested in this format, but I see no reason to bikeshed what PEM means. On Sat, Jul 1, 2017 at 12:52 AM Peter Gutmannwrote: > Peter Gutmann via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > >You keep using that word... I do not think it means what you think it > does. > > "... what you think it means". Dammit. > > Peter. > -- David Adrian https://dadrian.io ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Machine- and human-readable format for root store information?
Peter Gutmann via dev-security-policywrites: >You keep using that word... I do not think it means what you think it does. "... what you think it means". Dammit. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Machine- and human-readable format for root store information?
David Adrian via dev-security-policywrites: >I'd like to see either a reliable URL to fetch that can be converted to PEM >(i.e. what Microsoft does), or some API you can hit to the store (e.g. what >CT does). PEM. You keep using that word... I do not think it means what you think it does. Technically speaking, PEM is the data format for Privacy Enhanced Mail, usually applied to the ASCII wrapping for the binary data. In practice, it's used to denote OpenSSL's proprietary private-key format. Neither of those seem terribly useful for communicating trusted certificates. If you do want a standard format for them that pretty much anything should already be able to understand, why not use CMS/PKCS #7 certificate sets/collections/chains? Almost anything that deals with certs should already be able to read those. Sure, it won't do metadata, but for that you'll need to spend three years arguing in a standards group and produce a 100-page RFC that no-one can get interoperability on. OTOH PKCS #7 works right now. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy