Blame SOURCES/README.ca-certificates

206e80
The CA-Certificates package is based on the list provided
206e80
by the Mozilla Foundation.
206e80
206e80
This version of the package contains the following adjustments:
206e80
206e80
(a)
206e80
The following root CA certificate is included in Mozilla's list:
206e80
  Subject/Issuer: "E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"
206e80
  Serial Number: 1 (0x1)
206e80
  Signature Algorithm: PKCS #1 MD5 With RSA Encryption
206e80
  Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
206e80
206e80
For compatibility with signed applets and OpenJDK, this package includes
206e80
an additional version of the root CA certificate, which contains the
206e80
same issuer/subject names and the same public key, but which contains a
206e80
different signature algorithm, serial number and validity dates:
206e80
  Serial Number:36:12:22:96:c5:e3:38:a5:20:a1:d2:5f:4c:d7:09:54
206e80
  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
206e80
  Fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
206e80
206e80
Thawte/Symantec have confirmed that the certificate is authentic at:
206e80
  https://bugzilla.mozilla.org/show_bug.cgi?id=1100532#c9
206e80
206e80
(b)
206e80
Mozilla has removed several CA certificates that use 1024 bit keys.
206e80
206e80
For compatibility reasons, this package keeps several of those removed
206e80
CA certificates still trusted by default.
206e80
206e80
Please refer to the ca-legacy(8) man page and the ca-legacy utility
206e80
to learn how to disable them, if desired.