tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Mozilla rootcerts



(Posting again to add another list)

So, AFAIK, the only source of root certificates we have is the
mozilla-rootcerts package.

It uses this list maintained by Mozilla:
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Mozilla announced they will distrust Symantec*, but haven't done this by
changing the certdata file. After asking, it turns out they document
additional changes they apply on top:
https://wiki.mozilla.org/CA/Additional_Trust_Changes

I am tempted to modify the rootcerts package to distrust any CA needing
more complicated rules than "full trust". As in, manually distrust:
- Kamu SM, Turkish govenrment CA
- ANSSI, French government CA**
- Symantec

Additionally, the list of "Symantec" is very long. At the original post
it included VeriSign. It no longer seems to. I'll need to find an
updated list.

* https://wiki.mozilla.org/CA:Symantec_Issues
** Having trouble finding this on certdata.txt too.


Home | Main Index | Thread Index | Old Index