I think perhaps that we should be more selective in the certs we add to
ca-certificates.crt. Debian has a configuration file
/etc/ca-certificates.conf, and only adds certificates that are
explicitly listed there to ca-certificates.crt.
Several of the certs in /etc/ssl/certs have comments like this:
# alias="Bogus Global Trustee"
# trust=
# distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION
CKA_TRUST_SERVER_AUTH
# openssl-distrust=codeSigning emailProtection serverAuth
So it seems that the NSS certificate store may include known-bogus
certificates, perhaps to allow displaying a more severe security warning
than the common case of an unknown CA (e.g. self-signed certificates).
We should find out whether these Bogus untrusted CA certificates are
present in Debian's /etc/ssl/certs, and whether they are present in its
ca-certificates.conf. We should also determine whether OpenSSL and
GnuTLS pay attention to those "distrust" comments (see above) in the
single-file certificate bundle, and whether they pay attention to them
in the smaller *.pem and hash-named files.
I will investigate later today, but if anyone is inspired to investigate
sooner and report their findings, feel free. It could be that 993300f6c
and/or e979e6dd523 should be reverted.
Mark
