And I think we should remove the old StartCom root certs from NSS.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#StartCom
~~
Mozilla currently recommends not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots:
CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
This restriction has been implemented in both in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, in the NSS library code, which is used by applications that use the NSS certificate verification APIs.
~~
Please let me know if you foresee any problems with removing these root certs from NSS.
Thanks,
Kathleen