On Sat, Feb 21, 2026 at 06:25:47PM +0100, Simon Josefsson wrote: > Package: ca-certificates > Version: 20250419 > Severity: wishlist >
> Not thinking of any of those CAs specifically, but generally, I wonder > if Debian's users are served by having all of the WebPKI CAs enabled by > default. [..] > One simple criteria could be that the CA supports Certificate > Transparency and offer a public log of all their issued certificates, I was going to say that WebPKI already requires that, however it appears this might not be a WebPKI requirement per se, but what the big platforms require (Chrome, Firefox, Apple, Microsoft). Having thought that, I spot-checked a few certs from the list, and for a lot of them - indeed they submit data to CT logs. > Quoting a recent security update for 'ca-certificates': > > > Mozilla certificate authority bundle was updated to version 2.60 > > The following certificate authorities were added (+): [..] > > + "Security Communication RootCA3" This one caught my eye though, and it appears NSS *removed* the cert in 2024, in https://hg-edge.mozilla.org/projects/nss/rev/30e2fd2f7da97479c409e3384cc663b15a957714 I assume Simon quoted the changelog of something like ca-certicates 20230311+deb12u1~deb11u1, and not the 20250419 that was given as Version:. I don't quite understand why the LTS project ships certificate bundles from 2023 in 2026 however. That seems like a big disservice to users. Chris
