So, I've looking into this. The relevant code in certdata2pem.py is:
elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', 'CKT_NSS_TRUSTED_DELEGATOR'): trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', 'CKT_NSS_TRUSTED_DELEGATOR'): trust[obj['CKA_LABEL']] = True
In Debian and Ubuntu, ca-certificates is not only used for web certificates, but also for email certificates.
Even if Verisign_Class_1_Public_Primary_Certification_Authority.pem is marked as CKT_NSS_MUST_VERIFY_TRUST for CKA_TRUST_SERVER_AUTH, it is marked as CKT_NSS_TRUSTED_DELEGATOR for CKA_TRUST_EMAIL_PROTECTION, which is why it is included.
I believe omitting certs that are valid for CKA_TRUST_EMAIL_PROTECTION will break email S/MIME verification.
So, I've looking into this. The relevant code in certdata2pem.py is:
elif obj['CKA_ TRUST_SERVER_ AUTH'] in ('CKT_NETSCAPE_ TRUSTED_ DELEGATOR' ,
'CKT_NSS_ TRUSTED_ DELEGATOR' ):
trust[ obj['CKA_ LABEL'] ] = True TRUST_EMAIL_ PROTECTION' ] in ('CKT_NETSCAPE_ TRUSTED_ DELEGATOR' ,
'CKT_ NSS_TRUSTED_ DELEGATOR' ):
trust[ obj['CKA_ LABEL'] ] = True
elif obj['CKA_
In Debian and Ubuntu, ca-certificates is not only used for web certificates, but also for email certificates.
Even if Verisign_ Class_1_ Public_ Primary_ Certification_ Authority. pem is marked as CKT_NSS_ MUST_VERIFY_ TRUST for CKA_TRUST_ SERVER_ AUTH, it is marked as CKT_NSS_ TRUSTED_ DELEGATOR for CKA_TRUST_ EMAIL_PROTECTIO N, which is why it is included.
I believe omitting certs that are valid for CKA_TRUST_ EMAIL_PROTECTIO N will break email S/MIME verification.