[emmab]

> Additionally, some application developers directly parse a file in Mozilla’s source code management system called certdata.txt, in which Mozilla’s root store is maintained in a form that is convenient for NSS to build from. The problem with the scripts that directly parse this file is that some of the certificates in this file are not trusted but rather explicitly distrusted

Could the file be split to retroactively fix everyone doing this?

[cipherboy]

Sure, but some distros (read: Fedora that I know of) use this as a source of truth for their TLS Root trusts. Means the scope is larger than just Mozilla and they'd (hopefully) coordinate with downstreams and others prior to changing this.

Best would be if they shipped a reference parsing library for whatever format they do use is. :-)