6cf4d9
# The upstream Mozilla.org project tests all changes to the root CA
6cf4d9
# list with the NSS (Network Security Services) library.
6cf4d9
#
6cf4d9
# Occassionally, changes might cause compatibility issues with
6cf4d9
# other cryptographic libraries, such as openssl or gnutls.
6cf4d9
#
6cf4d9
# The package maintainers of the CA certificates package might decide
6cf4d9
# to temporarily keep certain (legacy) root CA certificates trusted,
6cf4d9
# until incompatibility issues can be resolved.
6cf4d9
# 
6cf4d9
# Using this configuration file it is possible to opt-out of the
6cf4d9
# compatibility choices made by the package maintainer.
6cf4d9
#
6cf4d9
# legacy=default :
6cf4d9
#   This configuration uses the choices made by the package maintainer.
6cf4d9
#   It may keep root CA certificate as trusted, which the upstream 
6cf4d9
#   Mozilla.org project has already marked as no longer trusted.
6cf4d9
#   The set of CA certificates that are being kept enabled may change
6cf4d9
#   between package versions.
6cf4d9
#
6cf4d9
# legacy=disable :
6cf4d9
#   Follow all removal decisions made by Mozilla.org
6cf4d9
#
6cf4d9
legacy=default