diff options
author | Jacob Hoffman-Andrews <github@hoffman-andrews.com> | 2017-03-20 12:28:55 -0700 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2020-06-02 19:00:05 -0500 |
commit | a27f45644970531365ec75fb7958b8613d99ff3c (patch) | |
tree | c38d1d14e24b89f7560746cae3b620201f0b3540 | |
parent | 9f002a55738f183a25813a3e324b5b66cf38755c (diff) | |
download | ca-certificates-a27f45644970531365ec75fb7958b8613d99ff3c.tar.gz ca-certificates-a27f45644970531365ec75fb7958b8613d99ff3c.tar.bz2 ca-certificates-a27f45644970531365ec75fb7958b8613d99ff3c.tar.xz ca-certificates-a27f45644970531365ec75fb7958b8613d99ff3c.zip |
Remove email-only roots from mozilla trust store
These roots are trusted in the Mozilla program only for S/MIME, so should not be
included in ca-certificates, which most applications use to validate TLS
certificates.
Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that
depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use
ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove
thes because:
(a) S/MIME is relatively uncommon, and
(b) The CAs that have both TLS and S/MIME bits will continue to work, and
(c) Nearly all of the 12 removed email-only CAs have ceased operation of their
email certificate services
Verisign Class 1 Public Primary Certification Authority - G3
Verisign Class 2 Public Primary Certification Authority - G3
UTN USERFirst Email Root CA
SwissSign Platinum CA - G2
AC Raiz Certicamara S.A.
TC TrustCenter Class 3 CA II
ComSign CA
S-TRUST Universal Root CA
Symantec Class 1 Public Primary Certification Authority - G6
Symantec Class 2 Public Primary Certification Authority - G6
Symantec Class 1 Public Primary Certification Authority - G4
Symantec Class 2 Public Primary Certification Authority - G4
-rw-r--r-- | certdata2pem.py | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/certdata2pem.py b/certdata2pem.py index f91422b..0b02b2a 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -104,8 +104,6 @@ for obj in objects: print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']) elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': trust[obj['CKA_LABEL']] = True - elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': - trust[obj['CKA_LABEL']] = True elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': print('!'*74) print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) |