> There are other stories as well, but that's a good illustration of > why it's a bad idea to just hand over a bunch of CA's to users without > any mechanism for keeping the CA database, and CRL's, up to date.
I expected this argument, but it is finally irrelevant. This is because most users do one of two things: (a) do nothing and effectively trust all certificates, because none are installed; (b) install the mozilla-rootcerts package and trust the mozilla set. Maybe add (c) users who consciously select a subset of those certificates — probably a tiny minority. Compare with root certificates in the base system: Users in (a) gain cert verification. Users in group (b) do not have to do a manual step. Users in group (c) lose nothing, because they still can futz with root certificates manually. I assert that having a somewhat outdated set of Mozilla’s root certificates is better than having none at all and implicitly trusting everyone — or worse, trusting no one and having, say, Mercurial refuse to clone repos over https by default. —Benny.
