Hi Marc, I work on EFF's Encrypt the Web project and the Let's Encrypt certificate authority. I'd like to lend support to what Andrew's saying: It's both urgent and important to remove the email roots from the default set of certificates trusted on Debian.
I think Andrew's proposal is good; alternately, a simpler fix that doesn't involve new packages would be to simply move the email roots to a different directory, for instance /usr/share/ca-certificates/mozilla-email. That would immediately improve security for all TLS clients, while still making the email roots available for those who want them. Below are the first-level reverse depends for ca-certificates. None of these packages support S/MIME, so I think it is quite safe to make this change. In addition, the most common use of S/MIME is with a company-internal CA, because it only really works well if you have a directory to go with it. I think either Andrew or I would be happy to produce a patch if you agree that this is the right direction. What do you think? apt-rdepends --reverse ca-certificates ca-certificates Reverse Depends: 0install-core (2.7-3) Reverse Depends: boinc-client (7.4.23+dfsg-1) Reverse Depends: ca-certificates-java (>= 20140324) Reverse Depends: esniper (2.31.0-1) Reverse Depends: freeradius (2.2.5+dfsg-0.2) Reverse Depends: glib-networking-tests (2.42.0-2) Reverse Depends: gnustep-base-common (1.24.7-1) Reverse Depends: kdelibs5-data (4:4.14.2-5+deb8u1) Reverse Depends: lava-dev (2014.09.1-1) Reverse Depends: libgwenhywfar-data (4.12.0beta-3) Reverse Depends: liblwp-protocol-https-perl (6.06-2) Reverse Depends: liblwpx-paranoidagent-perl (1.10-5) Reverse Depends: libwww-perl (6.08-1) Reverse Depends: nodejs-dev (0.10.29~dfsg-2) Reverse Depends: osc (0.149.0-2) Reverse Depends: php-google-api-php-client (0.6.7-2) Reverse Depends: php-guzzle (3.9.2+dfsg-4) Reverse Depends: php-guzzlehttp-ringphp (1.0.0-1) Reverse Depends: python-httplib2 (0.9+dfsg-2) Reverse Depends: python-pip (1.5.6-5) Reverse Depends: python-requests (2.4.3-6) Reverse Depends: python-requests-whl (2.4.3-6) Reverse Depends: python-tornado (3.2.2-1.1) Reverse Depends: python-txaws (0.2.3-1) Reverse Depends: python3-httplib2 (0.9+dfsg-2) Reverse Depends: python3-pip (1.5.6-5) Reverse Depends: python3-requests (2.4.3-6) Reverse Depends: python3-tornado (3.2.2-1.1) Reverse Depends: rubygems-integration (1.8) Reverse Depends: software-properties-common (0.92.25debian1) Reverse Depends: ssh-import-id (3.21-1) Reverse Depends: sympa (6.1.23~dfsg-2+deb8u1) Reverse Depends: wordpress (4.1+dfsg-1+deb8u11) Thanks, Jacob
