uses erlang-certifi

[benoitc]

Erlang certifi is a port of certifi. The CA bundle is derived from Mozilla's canonical set. It provides the same features as rebar_cacerts.

erlang-certifi will be updated as soon as the CA bundle from mozilla is updated.

[ericmj]

What's the difference in certificates? I notice it adds more certificates.

[benoitc]

It contains all trusted certificate in https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

I am not sure how the rebar one have been built though.

[ericmj]

It's not as easy as including all of mozillas trusted certificates. There are different classifications of certificates and they are trusted for different reasons. A certificate can be for email signing, code signing, only trusted as an intermediate certificate but not as root, etc.

Do ceritfi document how they generate their list?

[benoitc]

@ericmj all scripts are available in the certifi organisation:
https://github.com/certifi/cert-tools
https://github.com/certifi/extract-nss-root-certs

The advantage of using certifi is to rely on the community effect. Indeed certifi is used by requests one of the most used HTTP client in the Python community.

Also using a common library would allows to reuse the same validated certificate bundle between different clients. Which is good for the ecosystem imo.

[benoitc]

also by default it only include trusted certificates:

https://github.com/certifi/extract-nss-root-certs/blob/master/convert_mozilla_certdata.go#L61-L63

[ericmj]

Okay, looks like they use good defaults https://github.com/certifi/extract-nss-root-certs/blob/master/convert_mozilla_certdata.go#L268-L270.

I can't reach https://certifi.io/.

When or how often does certifi update the list from Mozilla and when will the hex package be updated?

[benoitc]

for the https this is a known issue I just bumped them.

Python and Go package have been updated 4 days ago. I will make sure that the erlang repo is updated automatically as well .

[ericmj]

Being updated 4 days ago doesn't say much. It seems the last update before that was 4 months ago, that's a pretty a long time. Do they have a policy or something like that explains their process?

[benoitc]

@ericmj well as far as I know it's updated as soon as possible after a mozilla update. I opened a ticket to fix the policy about that ^^.

Anyway It will be much faster imo if we are many to watch than having to do it in our corner.

[tsloughter]

Oh, wait, one more thing needs to change. rebar.config needs:

{escript_incl_extra, [{"certifi/priv/*", "_build/default/lib/"}
                      {"relx/priv/templates/*", "_build/default/lib/"},
                      {"rebar/priv/templates/*", "_build/default/lib/"}]}.

[tsloughter]

Otherwise the certs.pem won't be included in the escript.

[tsloughter]

Manually merged so I could add that little change to rebar.config. Thanks!