From 82051fd0037f9f1ba4dbb713fbe68e333523d498 Mon Sep 17 00:00:00 2001
From: Michael Shuler <michael@pbandjelly.org>
Date: Thu, 29 Mar 2018 22:11:18 -0600
Subject: Update mozilla/blacklist.txt

- remove certificates no longer in certdata.txt
- explicitly ignore distrusted certificates to prevent build errors
---
 debian/changelog      |  3 +++
 mozilla/blacklist.txt | 30 ++++++++++--------------------
 2 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 118146d..0f7aa82 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,9 @@ ca-certificates (20180329) UNRELEASED; urgency=medium
     - "TURKTRUST Certificate Services Provider Root 2007"
     - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
     - "UTN USERFirst Hardware Root CA"
+  * mozilla/blacklist.txt
+    Update blacklist to remove certificates no longer in certdata.txt and
+    explicitly ignore distrusted certificates.
   * debian/copyright:
     Fix lintian insecure-copyright-format-uri with https URL.
   * debian/changelog:
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 6ea1732..37f515c 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -1,23 +1,13 @@
 # One blacklist entry per line, corresponding to the label in certdata.txt.
 
-# MD5 Collision Proof of Concept CA
-"MD5 Collisions Forged Rogue CA 25c3"
+# Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+"Explicitly Distrust DigiNotar Root CA"
+"Explicitly Distrusted DigiNotar PKIoverheid G2"
+"MITM subCA 1 issued by Trustwave"
+"MITM subCA 2 issued by Trustwave"
+"TURKTRUST Mis-issued Intermediate CA 1"
+"TURKTRUST Mis-issued Intermediate CA 2"
 
-# DigiNotar Root CA (see debbug#639744)
-"DigiNotar Root CA"
-
-# StartCom and WoSign certificates are now untrusted by the major browser
-# vendors[0]. See [1] for discussion. The list was generated by:
-#
-#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
-#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
-#
-# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
-# [1] https://bugs.debian.org/858539
-#
-"StartCom Certification Authority"
-"StartCom Certification Authority G2"
-"WoSign"
-"WoSign China"
-"Certification Authority of WoSign G2"
-"CA WoSign ECC Root"
-- 
cgit v1.2.1