To fix bug 1400293, we must enable Firefox to distinguish between Mozilla CAs and other, locally installed CAs. We want to achieve this by using a new pkcs#11 attribute, nss-mozilla-ca-policy, which is set only for Mozilla approved CAs. This bug requests to enhance the ca-certificates package to set this new attribute. This depends on new p11-kit that supports the attribute. This also requires that we change the way how ca-certificates passes data to p11-kit-trust, because the BEGIN TRUSTED CERTIFICATE file format isn't flexible, and doesn't support adding new attributes. I'll file a separate bug for that, because I want to do these changes in separate steps.
fixed in rawhide
ca-certificates-2017.2.11-1.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11057f70e
ca-certificates-2017.2.11-1.1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3753e75f72
ca-certificates-2017.2.11-1.1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3753e75f72
ca-certificates-2017.2.11-1.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11057f70e
ca-certificates-2017.2.11-1.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
ca-certificates-2017.2.11-1.1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.