Is there a readily accessible list of the CAs you're deleting? Ah, it's in the shell script itself, and there are just four of them. And this looks to be specific to Mac OS X only -- /System/Library/Keychains is not a frequently encountered path on, say, Windows, Linux, or BSD (non-Mac) boxen.

How does this work, e.g., on systems which install root CAs from standard packages? I think you'll find you'll need to 1) re-run the script and 2) that you're not getting the benefit of retaining the root but flagging it as untrusted.

I just posted on flagging the CNNIC root as untrusted in Debian. That's better than deleting the CA, as it should now show as negative trust if I'm grokkign things properly.

As the readme says: 'Also removes any user trust settings for each certificate'.

It's not intended as patch or fix for the CA system which is broken by design - merely something that I was interested in trying.

If you want remove all China CAs, it may be helpful. https://github.com/chengr28/RevokeChinaCerts

Great link - thanks!