Comment 19 for bug 1031333

(In reply to comment #3)
> The list of trusted CAs is inherited from upstream (Mozilla) and we are not
> going to change it ourselves within Fedora - sorry.

Just a few more notes.

Both the SH1 and MD2 certificates *do* appear to be included in Mozilla's certdata.txt r1.78 (at lines 1010 and 17805), yet the MD2 certficate is not in ca-bundle.crt in package ca-certificates.

I believe the bug is in, which does not handle the case where two certificates have the same CKA_LABEL (as is the case in certdata.txt r1.78), since it tries to output both certificates to the same file (one overwrites the other).

I'll add for the google that the Class 3 certificate is not the only one that gets dropped from ca-bundle.pem by the script. "Verisign Class 1 Public Primary Certification Authority" also appears as the label of two different certs (same underlying key, signed in two different ways).