Bug#911289: ca-certificates should remove Symantec certs
I think most people are aware that browser vendors agreed to distrust
certificates by Symantec and they no longer issue certificates (their
business got sold to Digicert).
This should also be reflected in the ca-certificates package and the
Symantec roots should be removed (particularly as this package is
acting as a de-facto upstream for several other distros).
This needs some checking which certificates exactly shall be removed.
Symantec operated under various different brand names (Thawte, Geotrust,
and they also owned the old Verisign roots), and some of their roots
have changed the owner and are excluded from the distrust.
I think this comment leads me to the place where the Symantec
distrust is implemented. And it's not in NSS itself, but in browsers
themselves [1, 2].
I don't know where this leaves ca-certficiates. For the time being, the
certificates blacklisted by browsers can be blacklisted in
ca-certificates itself. But in general a simple whitelist of trusted
certificate authorities is no longer sufficient. For instance, NSS has
the ability to distrust a CA certificate after a particular date.
This simply isn't possible to represent in ca-certificates' whitelist.