Re: updating ca-bundle.crt
On Wed, Feb 02, 2005, Joe Orton wrote: > There was some discussion on modssl-users a while back on this topic; we > had some concerns about extracting ca-bundle.crt directly from the > Mozilla CA list sources. But after discussing this with Frank Hecker > and some others there is agreement that there are no licensing issues > here really. > > So, attached is a Perl script which regenerates ca-bundle.crt directly > from the Mozilla certdata.txt: Ralf, feel free to include this in > mod_ssl or just update the mod_ssl ca-bundle.crt using it ;) Thanks, Joe. I'll include this script into mod_ssl 2.8.23 together with its latest output. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
updating ca-bundle.crt
There was some discussion on modssl-users a while back on this topic; we had some concerns about extracting ca-bundle.crt directly from the Mozilla CA list sources. But after discussing this with Frank Hecker and some others there is agreement that there are no licensing issues here really. So, attached is a Perl script which regenerates ca-bundle.crt directly from the Mozilla certdata.txt: Ralf, feel free to include this in mod_ssl or just update the mod_ssl ca-bundle.crt using it ;) joe #!/usr/bin/perl -w # # Used to regenerate ca-bundle.crt from the Mozilla certdata.txt. # Run as ./mkcabundle.pl > ca-bundle.crt # my $cvsroot = ':pserver:[EMAIL PROTECTED]:/cvsroot'; my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt'; open(IN, "cvs -d $cvsroot co -p $certdata|") || die "could not check out certdata.txt"; my $incert = 0; print<) { if (/^CKA_VALUE MULTILINE_OCTAL/) { $incert = 1; open(OUT, "|openssl x509 -text -inform DER -fingerprint") || die "could not pipe to openssl x509"; } elsif (/^END/ && $incert) { close(OUT); $incert = 0; print "\n\n"; } elsif ($incert) { my @bs = split(/\\/); foreach my $b (@bs) { chomp $b; printf(OUT "%c", oct($b)) unless $b eq ''; } } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { print "# Generated from certdata.txt RCS revision $1\n#\n"; } }
RE: Again: "License" of ca-bundle.crt
Yes, without equivocation, databases can be protected by copyright. I do agree with Joe about the originality and creativity requirement, since this is necessary public information. Much better information: http://www.bitlaw.com/copyright/database.html Kind Regards, -dsp > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Joe Orton > Sent: Wednesday, June 16, 2004 4:27 PM > To: AIDA Shinra > Cc: [EMAIL PROTECTED] > Subject: Re: Again: "License" of ca-bundle.crt > > > On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote: > > Hello, > > > > I am packaging sole ca-bundle.crt for Fink. > > > http://sourceforge.net/tracker/index.php?func=detail&aid=928157&gr > oup_id=17203&atid=414256 > > > > Fink package system has "License" field. I must fill it. What is the > > "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like > > "license"? > > It's a tricky legal question, I think. > > The original source of the ca-bundle.crt was a database shipped with the > Netscape browser. It's possible to derive a new ca-bundle.crt from the > Mozilla source code, which is what Debian do in their ca-certificates > package. Debian say that the resultant CA certificate bundle is > licensed under the MPL, as its source in Mozilla is. > > But can a database be copyrighted? Can a database made up of copies of > necessarily-public CA certificates published by third parties be > copyrighted? It is somewhat lacking in "originality", which is one of > the requirements for US copyright law to apply, at least. > > You may be better of asking a lawyer, unfortunately! > > joe > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Again: "License" of ca-bundle.crt
> > -Message d'origine- > > De : [EMAIL PROTECTED] > > Envoyà : mercredi 16 juin 2004 22:27 > > à : AIDA Shinra > > Cc : [EMAIL PROTECTED] > > Objet : Re: Again: "License" of ca-bundle.crt > > > > > > On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote: > > > Hello, > > > > > > I am packaging sole ca-bundle.crt for Fink. > > > > > http://sourceforge.net/tracker/index.php?func=detail&aid=928157&gr > oup_id=17203&atid=414256 > > > > Fink package system has "License" field. I must fill it. What is the > > "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like > > "license"? > > It's a tricky legal question, I think. > > The original source of the ca-bundle.crt was a database shipped with the > Netscape browser. It's possible to derive a new ca-bundle.crt from the > Mozilla source code, which is what Debian do in their ca-certificates > package. Debian say that the resultant CA certificate bundle is > licensed under the MPL, as its source in Mozilla is. > > But can a database be copyrighted? Can a database made up of copies of > necessarily-public CA certificates published by third parties be > copyrighted? It is somewhat lacking in "originality", which is one of > the requirements for US copyright law to apply, at least. > > You may be better of asking a lawyer, unfortunately! > > joe I am not american, but if I remember correctly, as an american you can copyright a database. The length is 20, 25 or 50 years protection but I don't remember. And Yes, you can copyright a database with certificates as you can copyright a database with the name of those who live in your town. It is not because the datas are public that the database can't be copyrighted... Thierry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Again: "License" of ca-bundle.crt
On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote: > Hello, > > I am packaging sole ca-bundle.crt for Fink. > http://sourceforge.net/tracker/index.php?func=detail&aid=928157&group_id=17203&atid=414256 > > Fink package system has "License" field. I must fill it. What is the > "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like > "license"? It's a tricky legal question, I think. The original source of the ca-bundle.crt was a database shipped with the Netscape browser. It's possible to derive a new ca-bundle.crt from the Mozilla source code, which is what Debian do in their ca-certificates package. Debian say that the resultant CA certificate bundle is licensed under the MPL, as its source in Mozilla is. But can a database be copyrighted? Can a database made up of copies of necessarily-public CA certificates published by third parties be copyrighted? It is somewhat lacking in "originality", which is one of the requirements for US copyright law to apply, at least. You may be better of asking a lawyer, unfortunately! joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Again: "License" of ca-bundle.crt
Hello, I am packaging sole ca-bundle.crt for Fink. http://sourceforge.net/tracker/index.php?func=detail&aid=928157&group_id=17203&atid=414256 Fink package system has "License" field. I must fill it. What is the "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like "license"? I sent before but no response except "vacation". Before clarifying it I can't take any action. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
"License" of ca-bundle.crt
I am away on paternity leave for the next few days. Please contact OLSU if urgent, otherwise i will get back to you as soon as possible on my return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
"License" of ca-bundle.crt
Hello, I am packaging sole ca-bundle.crt for Fink. http://sourceforge.net/tracker/index.php?func=detail&aid=928157&group_id=17203&atid=414256 Fink package system has "License" field. I must fill it. What is the "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like "license"? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ca-bundle.crt
On Wed, Nov 08, 2000, Saicharan K wrote: > There is a file named "ca-bundle.crt" in the mod-ssl distribution. This > file basically contains a bundle of X.509 certificates of all > Certificate authorities. Does anybody know how this file is created and > if there is a location where I can find the source for this? Look for certbundle-1.0.tar.gz in the contrib area of www.modssl.org. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca-bundle.crt
Hi, There is a file named "ca-bundle.crt" in the mod-ssl distribution. This file basically contains a bundle of X.509 certificates of all Certificate authorities. Does anybody know how this file is created and if there is a location where I can find the source for this? thanks, Sai __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca-bundle.crt
Hi, There is a file named "ca-bundle.crt" in the mod-ssl distribution. This file basically contains a bundle of X.509 certificates of all Certificate authorities. Does anybody know how this file is created and if there is a location where I can find the source for this? thanks, Sai __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Updated ca-bundle.crt file
Today I've again (as one year ago) extracted all certificates from Netscape Communicator 4.7's cert7.db file and bundled them together into a ca-bundle.crt file for use with mod_ssl's SSLCACertificatePath directive. The ca-bundle.crt file is appended. It will be (later) also included in mod_ssl 2.4.7, too. It contains the following CA certs: ABAecom (sub., Am. Bankers Assn.) Root CA ANX Network CA by DST Access America by DST American Express CA American Express Global CA BelSign Object Publishing CA BelSign Secure Server CA Deutsche Telekom AG Root CA Digital Signature Trust Co. Global CA 1 Digital Signature Trust Co. Global CA 2 Entrust Worldwide by DST Equifax Premium CA Equifax Secure CA GTE CyberTrust Global Root GTE CyberTrust Japan Root CA GTE CyberTrust Japan Secure Server CA GTE CyberTrust Root 2 GTE CyberTrust Root 3 GTE CyberTrust Root 4 GTE CyberTrust Root 5 GTE CyberTrust Root CA GlobalSign Partners CA GlobalSign Primary Class 1 CA GlobalSign Primary Class 2 CA GlobalSign Primary Class 3 CA GlobalSign Root CA National Retail Federation by DST Novell E-Commerce Community by DST TC TrustCenter, Germany, Class 0 CA TC TrustCenter, Germany, Class 1 CA TC TrustCenter, Germany, Class 2 CA TC TrustCenter, Germany, Class 3 CA TC TrustCenter, Germany, Class 4 CA Thawte Personal Basic CA Thawte Personal Freemail CA Thawte Personal Premium CA Thawte Premium Server CA Thawte Server CA UPS Document Exchange by DST VeriSign Class 4 Primary CA Verisign Class 1 Public Primary Certification Authority Verisign Class 1 Public Primary Certification Authority - G2 Verisign Class 2 Public Primary Certification Authority Verisign Class 2 Public Primary Certification Authority - G2 Verisign Class 3 Public Primary Certification Authority Verisign Class 3 Public Primary Certification Authority - G2 Verisign Class 4 Public Primary Certification Authority - G2 Verisign/RSA Commercial CA Verisign/RSA Secure Server CA Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ## ## ca-cert-bundle.pem -- Bundle of CA Certificates ## Last Modified: Fri Oct 22 17:15:27 CEST 1999 ## ## This is a bundle of X.509 certificates of public ## Certificate Authorities (CA). These were automatically ## extracted from Netscape Communicator's certificate database ## (the file `cert7.db'). It contains the certificates in both ## plain text and PEM format and therefore can be directly used ## with an Apache+mod_ssl webserver for SSL client authentication. ## Just configure this file as the SSLCACertificateFile. ## ABAecom (sub., Am. Bankers Assn.) Root CA = MD5 Fingerprint: BA:D9:60:04:63:E6:92:07:3C:C5:38:93:66:38:24:FE PEM Data: -BEGIN CERTIFICATE- MIIDkjCCAnqgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkRDMRMwEQYDVQQHEwpXYXNoaW5ndG9uMRcwFQYDVQQKEw5BQkEu RUNPTSwgSW5jLjEZMBcGA1UEAxMQQUJBLkVDT00gUm9vdCBDQTEeMBwGCSqGSIb3 DQEJARYPa2RhZ3Vpb0BhYmEuY29tMB4XDTk4MDcyOTE2NTk1MloXDTA1MDcyNzE2 NTk1MlowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJEQzETMBEGA1UEBxMKV2Fz aGluZ3RvbjEXMBUGA1UEChMOQUJBLkVDT00sIEluYy4xGTAXBgNVBAMTEEFCQS5F Q09NIFJvb3QgQ0ExHjAcBgkqhkiG9w0BCQEWD2tkYWd1aW9AYWJhLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMae3L3cDgkaUcaSm5lrjGmJvhvF ohFOhGYNmfH/H5mhM9a0kouli57Wp5DEybSBGp6HUP9zVqdtEFsIE6asCKkaIHIa DzN0sVixVm81Nj0zXpPjmgK1obfxbzEFNQ3XoA/OMmexPUj2SYuisf5GgC4/7EQN FKfeuhDXvAn/VZZRF05luCegEpEA9bc7Ur2oNT4T0xhRvRb3fRIBiTc768GiYEK+ QBzTd2hv+LQHfma542pUDaboHGDi7+6drWPsk2udrWMOno8jlhcF/Oh11hQ16i2D mvZVjpNNsYziQWJk0P1G0/kVeo5G1EjbNge1b3JlD3BHdBW87oNQzk72r90CAwEA AaMPMA0wCwYDVR0PBAQDAgLUMA0GCSqGSIb3DQEBBQUAA4IBAQBobiY2tbG5cy5Y 88T6IXNua5n4739dw7v3GyaeotvxbzI/5NjejwuXiE6bNp3RhWABmMdovkPBBoBn JuMZwXZG3VfOxPa54d2cxyoEYZUpuXa/f93fs5fPmMsz5AXUyi3Z4xIpXhjoPwXM aN5mX6LB15EExfCQSEFgW6hC85lUL6s3FVwTyTasHxaTWV1vXjkToFrSvTAPeGg8 ptYvOS8ME51zN+daqhu3HsGRKb+Z8lqYclOV9IAyznxRb7XNSpnc44MbwcGdchyU vjtfIwfoAWmL22SjjLIFKQFSfX5zrRHnLDVqCyMKGnnfcqLRR5/I61zt/szuAQkw sV/IDA62 -END CERTIFICATE- Certificate Ingredients: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root [EMAIL PROTECTED] Validity Not Before: Jul 29 16:59:52 1998 GMT Not After : Jul 27 16:59:52 2005 GMT Subject: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c6:9e:dc:bd:dc:0e:09:1a:51:c6:92:9b:99:6b: 8c:69:89:be:1b:c5:a2:11:4e:84:66:0d:99:f1:ff: 1f:99:a1:33:d6:b4:92:8b:a5:8b:9e:d6:a7:90:c4: c9:b4:81:1a:9e:87:5