Sorry, meant to address my previous message to Michael. :-) I've done a little digging, and according to the first-level results from:
apt-rdepends --reverse --show=Depends,Recommends,Suggests ca-certificates The only MUAs that depend, recommend, or suggest ca-certificates are mutt and Sylpheed. Sylpheed uses ca-certificates just for SSL: https://github.com/jan0sch/sylpheed/blob/master/libsylph/ssl.c#L58. Mutt seems to be the only MUA that uses ca-certificates for S/MIME. It ships with /etc/Muttrc.d/smime.rc, which has: set smime_ca_location=`for f in $HOME/.smime/ca-certificates.crt $HOME/.smime/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt ; do if [ -e $f ] ; then echo $f ; exit ; fi ; done` These are the remaining CAs in the latest version of ca-certificates from git that are present only because they have the email trust bit: "Verisign Class 1 Public Primary Certification Authority - G3" "Verisign Class 2 Public Primary Certification Authority - G3" "UTN USERFirst Email Root CA" "SwissSign Platinum CA - G2" "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A." "TC TrustCenter Class 3 CA II" "ComSign CA" "S-TRUST Universal Root CA" "Symantec Class 1 Public Primary Certification Authority - G6" "Symantec Class 2 Public Primary Certification Authority - G6" "Symantec Class 1 Public Primary Certification Authority - G4" "Symantec Class 2 Public Primary Certification Authority - G4" It's entirely possible that none of these CAs are actually used for S/MIME by any Mutt user. For instance, Symantec end-of-lifed their email offering in August 2016: https://www.symantec.com/products/information-protection/digital-ids-secure-email. ComSign doesn't offer email certificates anywhere on their site: https://www.comsign.co.uk/. VeriSign was bought by Symantec ages ago. After doing this research, I'd actually argue in favor of dropping these CA's from ca-certificates outright, without making special provision for S/MIME.