Debian Bug report logs - #796208

ca-certificates: removal of SPI CA

Reported by: Raphael Geissert <geissert@debian.org> Date: Thu, 20 Aug 2015 10:36:02 UTC Severity: important Found in version ca-certificates/20150426 Fixed in version ca-certificates/20151214 Done: Michael Shuler <michael@pbandjelly.org> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Thu, 20 Aug 2015 10:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Geissert <geissert@debian.org> :

New Bug report received and forwarded. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Thu, 20 Aug 2015 10:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: ca-certificates: removal of SPI CA Date: Thu, 20 Aug 2015 12:33:58 +0200

Package: ca-certificates Version: 20150426 Severity: important Just a bug report to track the removal of the SPI CA. As far as I'm aware of, only the debconf.org websites still use certificates signed by that CA. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Tue, 24 Nov 2015 20:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Aaron Zauner <azet@azet.org> :

Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Tue, 24 Nov 2015 20:03:06 GMT) (full text, mbox, link).

Message #10 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Aaron Zauner <azet@azet.org> To: 796208@bugs.debian.org Subject: Re: ca-certificates: removal of SPI CA Date: Tue, 24 Nov 2015 21:01:50 +0100

Hi, +1 on removal of this CA from the default system trusted CA certificates. I get why back in the day CAcert and similar projects looked like a valid idea, but the CA landscape has changed significantly [0] since then and a CA that does not conform with modern technical and operational procedures should not be included by default (e.g. CA/B baseline requirements [1], RFC3647, certificate transparency [2] et cetera) in any distribution, especially one that's that popular and widely used on servers. This also affects Ubuntu [3].. Thanks, Aaron [0] - https://lwn.net/Articles/663875/ https://lwn.net/Articles/664385/ [1] - https://cabforum.org/baseline-requirements-documents/ [2] - https://www.certificate-transparency.org/how-ct-works [3] - https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/ca-certificates/wily/files/head:/spi-inc.org/

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Wed, 25 Nov 2015 21:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Josh Triplett <josh@joshtriplett.org> :

Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Wed, 25 Nov 2015 21:18:03 GMT) (full text, mbox, link).

Message #15 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@joshtriplett.org> To: 796208@bugs.debian.org Subject: libnss3 removed the SPI CA Date: Wed, 25 Nov 2015 13:15:41 -0800

Related to this bug, nss removed this CA today: nss (2:3.21-1) unstable; urgency=medium * New upstream release. * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation. 5 years after the transition started, it shouldn't be necessary anymore. * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA. * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file. * debian/libnss3.symbols: Add NSS_3.21 symbol versions. -- Mike Hommey <glandium@debian.org> Wed, 25 Nov 2015 09:18:30 +0900 Between Let's Encrypt and StartCom, I agree that SPI doesn't need to run a CA anymore, especially not a CA that only Debian systems trust. Debian sites should use certificates that all browsers trust, which they can easily do now. - Josh Triplett

Information forwarded to debian-bugs-dist@lists.debian.org :

Bug#796208 ; Package ca-certificates . (Sat, 05 Dec 2015 05:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Shuler <michael@pbandjelly.org> :

Extra info received and forwarded to list. (Sat, 05 Dec 2015 05:03:03 GMT) (full text, mbox, link).

Message #20 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org> To: 796208@bugs.debian.org Subject: Re: Bug#796208: libnss3 removed the SPI CA Date: Fri, 4 Dec 2015 23:00:06 -0600

Control: tags -1 + pending On 11/25/2015 03:15 PM, Josh Triplett wrote: > Related to this bug, nss removed this CA today: Thanks for the update. I've removed the SPI CA in git, and I'm prepping an upload to unstable. http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/commit/?id=12b1983c7f396327302088851251cdb797923c02 -- Kind regards, Michael

Added tag(s) pending. Request was from Michael Shuler <michael@pbandjelly.org> to 796208-submit@bugs.debian.org . (Sat, 05 Dec 2015 05:03:03 GMT) (full text, mbox, link).

Reply sent to Michael Shuler <michael@pbandjelly.org> :

You have taken responsibility. (Sun, 20 Dec 2015 10:09:17 GMT) (full text, mbox, link).

Notification sent to Raphael Geissert <geissert@debian.org> :

Bug acknowledged by developer. (Sun, 20 Dec 2015 10:09:17 GMT) (full text, mbox, link).

Message #27 received at 796208-close@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org> To: 796208-close@bugs.debian.org Subject: Bug#796208: fixed in ca-certificates 20151214 Date: Sun, 20 Dec 2015 10:06:36 +0000

Source: ca-certificates Source-Version: 20151214 We believe that the bug you reported is fixed in the latest version of ca-certificates, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 796208@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 14 Dec 2015 18:51:50 -0600 Source: ca-certificates Binary: ca-certificates Architecture: source all Version: 20151214 Distribution: unstable Urgency: medium Maintainer: Michael Shuler <michael@pbandjelly.org> Changed-By: Michael Shuler <michael@pbandjelly.org> Description: ca-certificates - Common CA certificates Closes: 611501 783615 789753 796208 Changes: ca-certificates (20151214) unstable; urgency=medium . * Removed SPI CA. Closes: #796208 * debian/{compat,control}: Updated d/compat to version 9 and updated Build-Depends. * debian/postinst: Handle /usr/local/share/ca-certificates permissions and ownership on upgrade. Closes: #611501 * mozilla/certdata2pem.py: Add Python 3 support to ca-certificates. Thanks to Andrew Wilcox and Richard Ipsum for the patch! Closes: #789753 * sbin/update-ca-certificates: Update local certificates directory when calling --fresh. Thanks for the patch, Daniel Lutz! Closes: #783615 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.6. The following certificate authorities were added (+): + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + "Certinomis - Root CA" + "OISTE WISeKey Global Root GB CA" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" The following certificate authorities were removed (-): - "A-Trust-nQual-03" - "Buypass Class 3 CA 1" - "ComSign Secured CA" - "Digital Signature Trust Co. Global CA 1" - "Digital Signature Trust Co. Global CA 3" - "SG TRUST SERVICES RACINE" - "TC TrustCenter Class 2 CA II" - "TC TrustCenter Universal CA I" - "TURKTRUST Certificate Services Provider Root 1" - "TURKTRUST Certificate Services Provider Root 2" - "UTN DATACorp SGC Root CA" - "Verisign Class 4 Public Primary Certification Authority - G3" Checksums-Sha1: 12ebddaa1aae04c9309c71671247a8079e5f9bf5 1405 ca-certificates_20151214.dsc c993a9a44cf2bf2d7282699fd0415f2b5d52fa00 293672 ca-certificates_20151214.tar.xz 6c60f8af11fb8a4378092f40d1b1083f3e95adbb 199574 ca-certificates_20151214_all.deb Checksums-Sha256: 07f110fc0d0691ec8c127b052f0ebee65e9f32684868b12735b9d57a7cd9d90f 1405 ca-certificates_20151214.dsc 59286e6403f482a24c672e09b810c7d089a73153d4772ff4a66e86053a920525 293672 ca-certificates_20151214.tar.xz 6b84bef92f6f76f96502326437ed5987bd6d852ce025513f6d26655e14910b10 199574 ca-certificates_20151214_all.deb Files: edef46f1bb2d172075ea93b85bf62ded 1405 misc optional ca-certificates_20151214.dsc 2233bfa64af6f58f5eca9735b6742818 293672 misc optional ca-certificates_20151214.tar.xz 3ad959fc9ea29346d10667a83b1a563f 199574 misc optional ca-certificates_20151214_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWdnqjAAoJEFb2GnlAHawEnaEH/jLKQINK+cqeHt8vCFI6p65Y NsJ8lxRQxU6OtRTAuU1ZfeDzPCB8JX73SpAcoQUpf4RVaFei/trUONSIE948wKfB gZTHOz+PgOckBLzvnTcri8vcOyt3a9Z2b6Ykxmh40WHihI9ibb1hDo+15+HFuGhV +qUk1yTmfSF0UXtkLQFbV+niWXfphGLKcMGlVgRNsKbiG+tYu1P2d56SzwWY2yjp uqyK9B2jfAYSSyd5vpLjFTiVvyjo2R2QjnO5tcNco2VGzPshA/eBH1DurEEb+DcD qSB3oK3X2nFuALV/Js6yu1ik/SkK+M1Zdn/hDhdDv6KR5m68uOfA2BDjYwwR8Cw= =iZAZ -----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Sat, 16 Jan 2016 19:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org> :

Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Sat, 16 Jan 2016 19:57:07 GMT) (full text, mbox, link).

Message #32 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org> To: Raphael Geissert <geissert@debian.org>, 796208@bugs.debian.org Subject: Re: Bug#796208: ca-certificates: removal of SPI CA Date: Sat, 16 Jan 2016 20:54:22 +0100

Raphael Geissert wrote: > Just a bug report to track the removal of the SPI CA. *sigh* > As far as I'm aware of, only the debconf.org websites still use > certificates signed by that CA. So why was the CA then removed already if debconf.org still uses this CA? https://www.debconf.org/ is now reported as broken. And no, it's not only debconf.org: https://mentors.debian.net/ is broken now, too. :-( Do we now need a separate ca-spi package? As it had to be done for CAcert? Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Sat, 16 Jan 2016 21:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Robert Edmonds <edmonds@debian.org> :

Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Sat, 16 Jan 2016 21:18:04 GMT) (full text, mbox, link).

Message #37 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org> To: Axel Beckert <abe@debian.org>, 796208@bugs.debian.org Subject: Re: Bug#796208: ca-certificates: removal of SPI CA Date: Sat, 16 Jan 2016 16:15:03 -0500

Axel Beckert wrote: > So why was the CA then removed already if debconf.org still uses this > CA? https://www.debconf.org/ is now reported as broken. Hi, If you examine the certificate served by www.debconf.org:443, it has a common name of wiki.debconf.org, with SANs for wiki.debconf.org and www.wiki.debconf.org. It will report as broken regardless of which CAs are in the ca-certificates package, because the server does not appear to be configured to correctly serve its www.debconf.org virtual host via HTTPS. Also note that the certificate is issued by "Gandi Standard SSL CA 2", not SPI, Inc. Certificate: Data: Version: 3 (0x2) Serial Number: 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 Validity Not Before: Jan 1 00:00:00 2016 GMT Not After : Jan 1 23:59:59 2017 GMT Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=wiki.debconf.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc: 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4: 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63: bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1: ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80: d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86: 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1: 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54: 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32: 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50: 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8: 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b: 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76: 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc: 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f: 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2: 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99: c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57: 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64: 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4: e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71: 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60: 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5: 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c: 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb: f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67: eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e: c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66: 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1: 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d: c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5: 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21: b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0: ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a: ef:0b:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA X509v3 Subject Key Identifier: 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.26 CPS: https://cps.usertrust.com Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl Authority Information Access: CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt OCSP - URI:http://ocsp.usertrust.com X509v3 Subject Alternative Name: DNS:wiki.debconf.org, DNS:www.wiki.debconf.org Signature Algorithm: sha256WithRSAEncryption 4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4: 7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36: a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92: f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e: 02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd: 68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26: 29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12: 0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05: f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc: f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74: c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15: 73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0: 94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55: 2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df: 95:8e:ef:72 > And no, it's not only debconf.org: https://mentors.debian.net/ is > broken now, too. :-( That certificate expires in ~4 months and will need to be replaced soon, too. -- Robert Edmonds edmonds@debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org> :

Bug#796208 ; Package ca-certificates . (Mon, 18 Jan 2016 13:24:17 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org> :

Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org> . (Mon, 18 Jan 2016 13:24:17 GMT) (full text, mbox, link).

Message #42 received at 796208@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org> To: "Robert Edmonds" <edmonds@debian.org>, 796208@bugs.debian.org Cc: "Axel Beckert" <abe@debian.org> Subject: Re: Bug#796208: ca-certificates: removal of SPI CA Date: Mon, 18 Jan 2016 14:12:29 +0100

On Sat, January 16, 2016 22:15, Robert Edmonds wrote: > Axel Beckert wrote: >> So why was the CA then removed already if debconf.org still uses this >> CA? https://www.debconf.org/ is now reported as broken. > > Hi, > > If you examine the certificate served by www.debconf.org:443, it has a > common name of wiki.debconf.org, with SANs for wiki.debconf.org and > www.wiki.debconf.org. It will report as broken regardless of which CAs > are in the ca-certificates package, because the server does not appear > to be configured to correctly serve its www.debconf.org virtual host via > HTTPS. > > Also note that the certificate is issued by "Gandi Standard SSL CA 2", > not SPI, Inc. > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA > 2 > Validity > Not Before: Jan 1 00:00:00 2016 GMT > Not After : Jan 1 23:59:59 2017 GMT > Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, > CN=wiki.debconf.org > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc: > 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4: > 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63: > bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1: > ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80: > d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86: > 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1: > 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54: > 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32: > 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50: > 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8: > 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b: > 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76: > 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc: > 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f: > 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2: > 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99: > c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57: > 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64: > 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4: > e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71: > 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60: > 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5: > 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c: > 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb: > f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67: > eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e: > c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66: > 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1: > 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d: > c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5: > 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21: > b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0: > ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a: > ef:0b:6f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Authority Key Identifier: > keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA > > X509v3 Subject Key Identifier: > 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56 > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Certificate Policies: > Policy: 1.3.6.1.4.1.6449.1.2.2.26 > CPS: https://cps.usertrust.com > Policy: 2.23.140.1.2.1 > > X509v3 CRL Distribution Points: > > Full Name: > URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl > > Authority Information Access: > CA Issuers - > URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt > OCSP - URI:http://ocsp.usertrust.com > > X509v3 Subject Alternative Name: > DNS:wiki.debconf.org, DNS:www.wiki.debconf.org > Signature Algorithm: sha256WithRSAEncryption > 4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4: > 7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36: > a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92: > f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e: > 02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd: > 68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26: > 29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12: > 0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05: > f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc: > f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74: > c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15: > 73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0: > 94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55: > 2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df: > 95:8e:ef:72 > >> And no, it's not only debconf.org: https://mentors.debian.net/ is >> broken now, too. :-( > > That certificate expires in ~4 months and will need to be replaced soon, > too. Thanks Robert for the explanation. This decision has not been made by just the package maintainers in isolation. DSA has made it explicit that they've migrated away from the SPI CA. Any remaining use is just indicative of a certificate that is in need of replacement. Cheers, Thijs

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Tue, 16 Feb 2016 07:26:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.