cacerts bundled with OpenJDK

Mark Wielaard mark at
Mon Jun 4 12:04:40 UTC 2012

On Fri, 2012-06-01 at 08:47 -0400, Donald Smith wrote:
> I don't know if it's a case that I know too much about the world of CAs, 
> and am scared about what this would mean; or if it's a case I don't know 
> enough, so I'm scared about what this would mean. :)

I think that is a good attitude to take wrt CA authorities :)

> I'm not convinced it would help avoid duplication.  In many cases CAs 
> won't be wanted or needed, and I believe in most cases where CAs are 
> wanted by packagers (your case notwithstanding) they'll be wanting it 
> from the OS perspective, or using their own corporate certs.

I don't agree here though. Almost anybody using java will want at least
ssl/https to the public internet to work. Which defines a pretty well
defined base set of root CAs to provide.

> You use Mozilla as an example (which I see more as a consumer/end user 
> product than most OSS).

I think almost any free software project is end user oriented. Why else
would we hack on it? :) Picking the set Mozilla root CAs and/or making
it easy/trivial to integrate them in a build (when NSS is installed
already anyway) seems the right thing to do. Which is already what every
distro does anyway, so better to make the default build be as close as
possible to that.

Mozilla seems to have figured this one out (or at least as the best
public policy around this), so it makes sense to by default adopt the
Mozilla/NSS bundle.



More information about the discuss mailing list