Re: Mac Certificates Query
Re: Mac Certificates Query
- Subject: Re: Mac Certificates Query
- From: Jens Alfke <email@hidden>
- Date: Tue, 29 Apr 2014 07:05:41 -0700
On Apr 28, 2014, at 11:49 PM, Rakesh Singhal <email@hidden> wrote:
> How can we programatically bundle all VALID certificates from all keychains(login.keychain, SystemRootCertificates, SystemCACertificates and System.keychain) in one file, like we have /etc/ssl/certs/ca-certificates.crt in Linux? Our application is not going to ship its own ca-certificates.crt and instead is required to build one from the keychains.
This is more appropriate for the apple-cdsa (aka “security/crypto”) mailing list. You should repost it there.
In general, this sounds like a bad idea. The OS already has its own trusted set of certs; why would you need to duplicate it? The OS root cert set can be updated dynamically, but baking one into your app will freeze it until you update your app, so the app might end up trusting certs that have since been invalidated. (This is an especially big concern right now, as many cert owners are regenerating their certs in response to the Heartbleed vulnerability.)
—Jens
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden