On Fri, Sep 16, 2022 at 02:11:38PM +0000, Andrew Lynch via openssl-users wrote: > http://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt > > I’ve also asked my colleagues why the download is http instead of https… You should look to multiple independent sources to validate the authenticity of a trust anchor public key. Trusting "https" to prove the validity of a WebPKI trust anchor is a bit too circular. Also "https" is redundant for CRL and intermediate CA distribution, since these are signed by the issuing CA. That said, the same ".crt" file is availabe via "https": https://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt Trust anchor certificates are often delivered as an operating system "package", and ideally the package maintainers apply proper due diligence. -- Viktor.
