Bug#647849: ca-certificates: removal of signet.pl's CAs

[Michael Shuler]

tags 647849 + pending
thanks

On 11/19/2011 04:55 AM, Thijs Kinkhorst wrote:
 Given that all the CRL's have expired for years it does seem good to remove 
 them from the next upload of ca-certificates.
 
 I'm not sure about the necessity of stable updates. While it indeed seems to 
 have gone out of business or similar, it was webtrust certified in the past 
 and as far as I can see there are no indications that there's acute danger 
 with these certificates, is there?

There is no danger, and it can be better information for users to leave
expired certificates so an application may error with expired, instead
of simply untrusted - see #493376 and #296827.  However, I committed
the removal of the CAs to keep cleaning up the clutter.

-- 
Kind regards,
Michael



signature.asc
Description: OpenPGP digital signature

Bug#647849: ca-certificates: removal of signet.pl's CAs

[Thijs Kinkhorst]

Hi Raphael,

 During a review of signet.pl's CAs in ca-certficiates, I've found several 
 issues that prompt me to remove them from all the current releases of ca-
 certificates.

Given that all the CRL's have expired for years it does seem good to remove 
them from the next upload of ca-certificates.

I'm not sure about the necessity of stable updates. While it indeed seems to 
have gone out of business or similar, it was webtrust certified in the past 
and as far as I can see there are no indications that there's acute danger 
with these certificates, is there?


Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#647849: ca-certificates: removal of signet.pl's CAs

[Raphael Geissert]

Package: ca-certificates
Severity: grave
Version: 20080809

Hi,

During a review of signet.pl's CAs in ca-certficiates, I've found several 
issues that prompt me to remove them from all the current releases of ca-
certificates.

* signet_ca1_pem.crt
notAfter=Sep 23 13:18:17 2011 GMT [EXPIRED]
NO CRL
NO OCSP
Bits=1024

* signet_ca2_pem.crt
notAfter=Apr 18 12:53:07 2017 GMT
NO OCSP
CRL=http://www.signet.pl/repozytorium/crl/pca2.crl
  Last Update: Jan  4 11:39:13 2007 GMT
  Next Update: Jan  4 11:44:13 2008 GMT [EXPIRED]
Bits=2048

* signet_ca3_pem.crt
notAfter=Apr 28 10:50:55 2008 GMT  [EXPIRED]
NO CRL
NO OCSP
Bits=2048

* signet_ocspklasa2_pem.crt
notAfter=Apr 18 12:53:07 2017 GMT
CRL=http://www.signet.pl/repozytorium/crl/klasa2.crl
  Last Update: Jan  4 10:36:58 2007 GMT
  Next Update: Jan  5 10:36:58 2007 GMT  [EXPIRED]
NO OCSP
Bits=1024

* signet_ocspklasa3_pem.crt
notAfter=Apr 28 10:50:55 2008 GMT  [EXPIRED]
CRL=http://www.signet.pl/kwalifikowane/repozytorium/crl/klasa3.crl
  Last Update: Jun 30 10:56:24 2006 GMT
  Next Update: Jul  1 10:56:24 2006 GMT  [EXPIRED]
NO OCSP
Bits=1024

* signet_pca2_pem.crt
notAfter=Sep 21 15:42:19 2026 GMT
CRL=http://www.signet.pl/repozytorium/rootca/rootca.crl
  Last Update: Jan  4 12:27:13 2007 GMT
  Next Update: Jan  5 12:32:13 2008 GMT [EXPIRED]
NO OCSP
Bits=2048

* signet_pca3_pem.crt
notAfter=Sep 21 15:42:19 2026 GMT
CRL=http://www.signet.pl/repozytorium/rootca/rootca.crl
  Last Update: Jan  4 12:27:13 2007 GMT
  Next Update: Jan  5 12:32:13 2008 GMT [EXPIRED]
NO OCSP
Bits=2048

* signet_rootca_pem.crt
notAfter=Sep 21 15:42:19 2026 GMT
NO CRL
NO OCSP
Bits=2048

* signet_tsa1_pem.crt
notAfter=Sep 23 11:18:17 2011 GMT [EXPIRED]
CRL=http://www.signet.pl/repozytorium/crl/klasa1.crl
  Last Update: Aug  1 09:38:22 2006 GMT
  Next Update: Aug  3 09:38:22 2006 GMT [EXPIRED]
NO OCSP
Bits=1024

Additionally, I have found no trace of them after a quick search. signet.pl's 
website only contains one root CA, which was never included in Debian.

Unless there's a well-founded argument against its removal, I plan to remove 
them from lenny, squeeze, and sid.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org