And I just noted, that apparently you simply set the permissions based on the /usr/local permissions and ownership, which means that the whole issue isn't fixed at all, and any installation (per default all) which use :staff as owner would still allow any user in that group to add system wide certificates... and thus (as mentioned before) even trick root into using any forged, self-signed, etc. certs.
Sigh... :-(
smime.p7s
Description: S/MIME cryptographic signature