Mozilla rootcerts

To: tech-pkg%netbsd.org@localhost, tech-security%netbsd.org@localhost
Subject: Mozilla rootcerts
From: maya%netbsd.org@localhost
Date: Sat, 18 Aug 2018 05:33:42 +0000

(Posting again to add another list)

So, AFAIK, the only source of root certificates we have is the
mozilla-rootcerts package.

It uses this list maintained by Mozilla:
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Mozilla announced they will distrust Symantec*, but haven't done this by
changing the certdata file. After asking, it turns out they document
additional changes they apply on top:
https://wiki.mozilla.org/CA/Additional_Trust_Changes

I am tempted to modify the rootcerts package to distrust any CA needing
more complicated rules than "full trust". As in, manually distrust:
- Kamu SM, Turkish govenrment CA
- ANSSI, French government CA**
- Symantec

Additionally, the list of "Symantec" is very long. At the original post
it included VeriSign. It no longer seems to. I'll need to find an
updated list.

* https://wiki.mozilla.org/CA:Symantec_Issues
** Having trouble finding this on certdata.txt too.

Follow-Ups:
- Re: Mozilla rootcerts
  - From: Greg Troxel
- Re: Mozilla rootcerts
  - From: maya

Prev by Date: Mozilla rootcerts
Next by Date: Re: Mozilla rootcerts
Previous by Thread: Mozilla rootcerts
Next by Thread: Re: Mozilla rootcerts
Indexes:

Home | Main Index | Thread Index | Old Index