Understood. My main reason for telling them is that Google Chrome complains bitterly when asked to download a http link from a page that was fetched with https. I hadn't noticed that yesterday because I was analyzing the problem on a Linux VM and copy-pasted all the URLs from Chrome on my desktop to wget in the VM. -----Ursprüngliche Nachricht----- Von: openssl-users <openssl-users-bounces@xxxxxxxxxxx> Im Auftrag von Viktor Dukhovni Gesendet: Freitag, 16. September 2022 16:22 An: openssl-users@xxxxxxxxxxx Betreff: Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?. On Fri, Sep 16, 2022 at 02:11:38PM +0000, Andrew Lynch via openssl-users wrote: ... > > I’ve also asked my colleagues why the download is http instead of > https… You should look to multiple independent sources to validate the authenticity of a trust anchor public key. Trusting "https" to prove the validity of a WebPKI trust anchor is a bit too circular. Also "https" is redundant for CRL and intermediate CA distribution, since these are signed by the issuing CA. That said, the same ".crt" file is availabe via "https": ... Trust anchor certificates are often delivered as an operating system "package", and ideally the package maintainers apply proper due diligence. -- Viktor.