Send a blank email to [email protected] to get a copy of this message
> Neither plain-text download nor unverified TLS should be used for> the trusted CA root list.
What follows is more general information than an answer. I'm simply
copy/pasting curl's explanation for this question. The original can be
found here (http://curl.haxx.se/docs/caextract.html):
Yes, pointing out that this contents is not hosted on a HTTPS
site is a popular thing to do but really it doesn't help anyone,
nor does it bring any news.
If you don't trust the data or want to be more certain: run the
script yourself. Offering the data over HTTPS would give you a
chicken-and-egg problem as which CAs would you trust when
you download the bundle? You're free to run your own caextract
service on a HTTPS site to redeem this. The scripts and everything
we use to offer data on this page are available in the curl source
code tree.