Great! Here's my proposed patch. It winds up being pretty small, just removing the lines from certdata2pem.py that pull in email certificates.
Thanks, Jacob
>From 68bc5e229a474fc2815dea530cc246e3d3b55008 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews <git...@hoffman-andrews.com> Date: Mon, 20 Mar 2017 12:28:55 -0700 Subject: [PATCH] Remove email-only roots from mozilla trust store These roots are trusted in the Mozilla program only for S/MIME, so should not be included in ca-certificates, which most applications use to validate TLS certificates. Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove thes because: (a) S/MIME is relatively uncommon, and (b) The CAs that have both TLS and S/MIME bits will continue to work, and (c) Nearly all of the 12 removed email-only CAs have ceased operation of their email certificate services Verisign Class 1 Public Primary Certification Authority - G3 Verisign Class 2 Public Primary Certification Authority - G3 UTN USERFirst Email Root CA SwissSign Platinum CA - G2 AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. TC TrustCenter Class 3 CA II ComSign CA S-TRUST Universal Root CA Symantec Class 1 Public Primary Certification Authority - G6 Symantec Class 2 Public Primary Certification Authority - G6 Symantec Class 1 Public Primary Certification Authority - G4 Symantec Class 2 Public Primary Certification Authority - G4 --- mozilla/certdata2pem.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py index f91422b..0b02b2a 100644 --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -104,8 +104,6 @@ for obj in objects: print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']) elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': trust[obj['CKA_LABEL']] = True - elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': - trust[obj['CKA_LABEL']] = True elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': print('!'*74) print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) -- 2.8.0-rc3
