https://bugzilla.redhat.com/show_bug.cgi?id=1274948 --- Comment #2 from Stephen J Pollei <stephen.pollei@xxxxxxxxx> --- I can remove the extra comments of why it's public domain out easily. OK I see your point about spacing, I did have haphazard spacing that was made worse by sed usage in https://github.com/pollei/fedora-rpm-specs/blob/master/make_git_spec.sh . I'll change the tspec and change the sed . I'll fix the description, and use /etc/pki/pki-usgov-dod-cacerts without noreplace. Expired certs can still be used in the process of checking old signatures on files and email. A lot of these expired certs are really bad as they use rsa1024 instead of rsa2048 or better, and they use sha1 not sha256 or better. So they are included only for completeness not as endorsement. The newer certs use rsa2048, but still use sha1. http://news.netcraft.com/archives/2016/01/08/us-military-still-shackled-to-outdated-dod-pki-infrastructure.html http://tech.slashdot.org/story/15/10/27/0230228/us-military-websites-still-relying-on-sha-1 http://news.netcraft.com/archives/2015/10/26/u-s-military-cyber-security-fails-to-make-the-grade.html http://news.netcraft.com/archives/2014/02/04/nist-continues-using-sha-1-algorithm-after-banning-it.html So something to watch is that some of the certs are future dated and will fingers-crossed be still-born. http://www.pcworld.com/article/2877672/the-end-for-1024bit-ssl-certificates-is-near-mozilla-kills-a-few-more.html https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/ https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/ http://tech.slashdot.org/story/15/11/05/2332206/microsoft-follows-mozilla-in-considering-early-ban-on-sha-1-certificates by 2016-06 It's actually because these certs suck so much that they have to be packaged separately and not used by default. Ideally DOD would update their certs to use acceptable cryptographic standards and use "Name Constraints" . Then they could be properly included in firefox CA list by default. https://tools.ietf.org/html/rfc5280#section-4.2.1.10 Internet X.509 PKI Certificate -- Name Constraints ASN1 OID 2.5.29.30 I'm in the middle of a few things, but I'll have new version by tomorrow. Thanks for your review. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review