>> Nice! Now, if they could package up a plugin or a new root list such >> that we could write in 2 lines what busy sysadms had to do, I'd say it >> would make a great recommendation.
There is an '-ignore-list' feature in https://github.com/agl/extract-nss-root-certs > Yea. That won't work at all, there's no clear authority [sic!] on who > can decide a CA is not trustworthy. And no way to tell what CA's are or aren't trustworthy. It's simply about reducing your needless exposure. > my list of trusted CAs is empty. Starting from empty is actually pretty easy, a lot of services start to be covered with under 50 certs. Especially for small sets of web users.
