[Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores

[grarpamp]

>> Nice!  Now, if they could package up a plugin or a new root list such
>> that we could write in 2 lines what busy sysadms had to do, I'd say it
>> would make a great recommendation.

There is an '-ignore-list' feature in
https://github.com/agl/extract-nss-root-certs

> Yea. That won't work at all, there's no clear authority [sic!] on who
> can decide a CA is not trustworthy.

And no way to tell what CA's are or aren't trustworthy.
It's simply about reducing your needless exposure.

> my list of trusted CAs is empty.

Starting from empty is actually pretty easy, a lot of services
start to be covered with under 50 certs. Especially for small
sets of web users.