On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <[email protected]> wrote: >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: >> On Sat, May 29, 2021 at 03:08:39AM +0200, [email protected] wrote >> >> > 125 config files in /etc/ssl/certs needs update. >> > >> > For certificates I would expect the old and invalid ones to be >replaced >> > by newer ones without user intervention. >> >> Looking through them is "interesting". There seem to be a lot of >> /etc/ssl/certs/????????.0 files, where "?" is either a random number >or >> a lower case letter. These all seem to be symlinks to >> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a >> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How >much >> do we trust China? There are a couple of certificates in there named >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any >> other suspicious regimes in there? > >I've always wondered about the amount of CAs that are auto-trusted on >any >system. Including several from countries with serious human rights >issues. > >I could do with a tool where I can easily select which CAs to trust >based on >country. > >-- >Joost
Is there actually any tool that can let me pick my certificates? If i go and start deleting randomly certificates from regimes i dont like will there be any "breaking change"? I suppose firefox uses its own certificate store though. Marinus
pEpkey.asc
Description: application/pgp-keys
