(Posting again to add another list) So, AFAIK, the only source of root certificates we have is the mozilla-rootcerts package. It uses this list maintained by Mozilla: https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt Mozilla announced they will distrust Symantec*, but haven't done this by changing the certdata file. After asking, it turns out they document additional changes they apply on top: https://wiki.mozilla.org/CA/Additional_Trust_Changes I am tempted to modify the rootcerts package to distrust any CA needing more complicated rules than "full trust". As in, manually distrust: - Kamu SM, Turkish govenrment CA - ANSSI, French government CA** - Symantec Additionally, the list of "Symantec" is very long. At the original post it included VeriSign. It no longer seems to. I'll need to find an updated list. * https://wiki.mozilla.org/CA:Symantec_Issues ** Having trouble finding this on certdata.txt too.