Distrust new WoSign/StartCom certificates

net/data/ssl/wosign/README.md

+# WoSign Certificates
+
+This directory contains the set of known active and legacy root certificates
+operated by WoSign CA Limited, including those of its wholly owned subisiary
+StartCom.
+
+Trust in these root certificates is being phased out, as described at
+<https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html>
+
+## Roots
+
+The files in this directory are organized by the SHA-256 hash of the
+certificate file, while the policies are based on the SHA-256 hash of
+the subjectPublicKeyInfo contained within the certificate.
+
+The following command can be used to extract the key hashes:
+
+`` for f in *.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``
+