Bug#659508: marked as done (ca-certificates: Remove Trustwave CA)

Mon, 19 Nov 2012 14:54:18 -0800 

Your message dated Mon, 19 Nov 2012 16:50:04 -0600
with message-id <[email protected]>
and subject line wontfix
has caused the Debian Bug report #659508,
regarding ca-certificates: Remove Trustwave CA
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
659508: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659508
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ca-certificates
Version: 20090814+nmu3squeeze1
Severity: important

Trustwave CA
/usr/share/ca-certificates/mozilla/SecureTrust_CA.crt

This company has publicly admitted purposefully supplying a subordinate CA to a 
company forn the purpose of MITM attacks, by generating SSL certificates on the 
fly
See 
http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html
This is currently being debated by Mozilla at 
https://bugzilla.mozilla.org/show_bug.cgi?id=724929 but it has now been 4 days 
since they have been notified with hardly a word from Mozilla and I don't think 
Mozilla are givng this the attention it deserves.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]   1.5.36.1         Debian configuration management sy
ii  openssl                 0.9.8o-4squeeze7 Secure Socket Layer (SSL) binary a

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, 
cacert.org/cacert.org.crt, debconf.org/ca.crt, gouv.fr/cert_igca_dsa.crt, 
gouv.fr/cert_igca_rsa.crt, 
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, 
mozilla/AddTrust_External_Root.crt, 
mozilla/AddTrust_Low-Value_Services_Root.crt, 
mozilla/AddTrust_Public_Services_Root.crt, 
mozilla/AddTrust_Qualified_Certificates_Root.crt, 
mozilla/America_Online_Root_Certification_Authority_1.crt, 
mozilla/America_Online_Root_Certification_Authority_2.crt, 
mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, 
mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, 
mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, 
mozilla/beTRUSTed_Root_CA.crt, 
mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, 
mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, 
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, 
mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Certplus_Class_2_
 Primary_CA.crt, mozilla/Certum_Root_CA.crt, 
mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/Comodo_Secure_Services_root.crt, 
mozilla/Comodo_Trusted_Services_root.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, 
mozilla/DST_ACES_CA_X6.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/Entrust.net_Global_Secure_Personal_CA.crt, 
mozilla/Entrust.net_Global_Secure_Server_CA.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust.net_Secure_Personal_CA.crt, 
mozilla/Entrust.net_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/Equifax_Secure_CA.crt, mozilla/Equifax_
 Secure_eBusiness_CA_1.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, 
mozilla/Equifax_Secure_Global_eBusiness_CA.crt, 
mozilla/Firmaprofesional_Root_CA.crt, mozilla/GeoTrust_Global_CA_2.crt, 
mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, 
mozilla/Go_Daddy_Class_2_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, 
mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, 
mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt, 
mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt, 
mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt, 
mozilla/NetLock_Business_=Class_B=_Root.crt, 
mozilla/NetLock_Express_=Class_C=_Root.crt, 
mozilla/NetLock_Notary_=Class_A=_Root.crt, 
mozilla/NetLock_Qualified_=Class_QA=_Root.crt, 
mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/Quo
 Vadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_3.crt, 
mozilla/QuoVadis_Root_CA.crt, mozilla/RSA_Root_Certificate_1.crt, 
mozilla/RSA_Security_1024_v3.crt, mozilla/RSA_Security_2048_v3.crt, 
mozilla/Secure_Global_CA.crt, mozilla/SecureTrust_CA.crt, 
mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt, 
mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, 
mozilla/Starfield_Class_2_CA.crt, mozilla/StartCom_Certification_Authority.crt, 
mozilla/StartCom_Ltd..crt, mozilla/Swisscom_Root_CA_1.crt, 
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Platinum_CA_-_G2.crt, 
mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/Taiwan_GRCA.crt, 
mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, 
mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, 
mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, 
mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt, 
mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Thawte_Premium_Ser
 ver_CA.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/Thawte_Server_CA.crt, 
mozilla/Thawte_Time_Stamping_CA.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, 
mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, 
mozilla/UTN_USERFirst_Hardware_Root_CA.crt, 
mozilla/UTN-USER_First-Network_Applications.crt, 
mozilla/ValiCert_Class_1_VA.crt, mozilla/ValiCert_Class_2_VA.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt, 
mozilla/Veris
 ign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_RSA_Secure_Server_CA.crt, 
mozilla/Verisign_Time_Stamping_Authority_CA.crt, 
mozilla/Visa_eCommerce_Root.crt, mozilla/Visa_International_Global_Root_2.crt, 
mozilla/Wells_Fargo_Root_CA.crt, 
mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, 
mozilla/XRamp_Global_CA_Root.crt, signet.pl/signet_ca1_pem.crt, 
signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, 
signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, 
signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, 
signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.crt, 
spi-inc.org/spi-ca-2003.crt, spi-inc.org/spi-
 cacert-2008.crt, telesec.de/deutsche-telekom-root-ca-2.crt
  ca-certificates/new_crts:
  ca-certificates/trust_new_crts: yes

--- End Message ---
--- Begin Message --- 
The offending Trustwave intermediates were added to certdata.txt as
explicitly untrusted [0], however, the ca-certificates package does not
install untrusted certs. The SecureTrust_CA.crt is installed, since it
is contained in certdata.txt and is flagged as a TRUSTED_DELEGATOR.
Users of ca-certificates are encouraged to enable/disable any/all
certificates appropriate to their own personal/organizational needs.

 Please note that Debian can neither confirm nor deny whether the
 certificate authorities whose certificates are included in this package
 have in any way been audited for trustworthiness or RFC 3647 compliance.
 Full responsibility to assess them belongs to the local system
 administrator.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c79

-- Kind regards, Michael

--- End Message ---

Reply via email to