Bug#796208: ca-certificates: removal of SPI CA
On Sat, January 16, 2016 22:15, Robert Edmonds wrote: > Axel Beckert wrote: >> So why was the CA then removed already if debconf.org still uses this >> CA? https://www.debconf.org/ is now reported as broken. > > Hi, > > If you examine the certificate served by www.debconf.org:443, it has a > common name of wiki.debconf.org, with SANs for wiki.debconf.org and > www.wiki.debconf.org. It will report as broken regardless of which CAs > are in the ca-certificates package, because the server does not appear > to be configured to correctly serve its www.debconf.org virtual host via > HTTPS. > > Also note that the certificate is issued by "Gandi Standard SSL CA 2", > not SPI, Inc. > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA > 2 > Validity > Not Before: Jan 1 00:00:00 2016 GMT > Not After : Jan 1 23:59:59 2017 GMT > Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, > CN=wiki.debconf.org > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc: > 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4: > 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63: > bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1: > ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80: > d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86: > 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1: > 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54: > 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32: > 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50: > 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8: > 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b: > 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76: > 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc: > 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f: > 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2: > 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99: > c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57: > 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64: > 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4: > e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71: > 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60: > 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5: > 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c: > 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb: > f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67: > eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e: > c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66: > 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1: > 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d: > c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5: > 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21: > b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0: > ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a: > ef:0b:6f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Authority Key Identifier: > > keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA > > X509v3 Subject Key Identifier: > 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56 > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Certificate Policies: > Policy: 1.3.6.1.4.1.6449.1.2.2.26 > CPS: https://cps.usertrust.com > Policy: 2.23.140.1.2.1 > > X509v3 CRL Distribution Points: > > Full Name: > URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl > > Authority Information Access: > CA Issuers - > URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt > OCSP - URI:http://ocsp.usertrust.com > > X509v3 Subject Alternative Name: > DNS:wiki.debconf.org, DNS:www.wiki.debconf.org > Signature Algorithm: sha256WithRSAEncryption >
Bug#796208: ca-certificates: removal of SPI CA
Axel Beckert wrote: > So why was the CA then removed already if debconf.org still uses this > CA? https://www.debconf.org/ is now reported as broken. Hi, If you examine the certificate served by www.debconf.org:443, it has a common name of wiki.debconf.org, with SANs for wiki.debconf.org and www.wiki.debconf.org. It will report as broken regardless of which CAs are in the ca-certificates package, because the server does not appear to be configured to correctly serve its www.debconf.org virtual host via HTTPS. Also note that the certificate is issued by "Gandi Standard SSL CA 2", not SPI, Inc. Certificate: Data: Version: 3 (0x2) Serial Number: 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 Validity Not Before: Jan 1 00:00:00 2016 GMT Not After : Jan 1 23:59:59 2017 GMT Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=wiki.debconf.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc: 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4: 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63: bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1: ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80: d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86: 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1: 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54: 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32: 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50: 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8: 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b: 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76: 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc: 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f: 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2: 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99: c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57: 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64: 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4: e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71: 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60: 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5: 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c: 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb: f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67: eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e: c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66: 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1: 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d: c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5: 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21: b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0: ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a: ef:0b:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA X509v3 Subject Key Identifier: 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.26 CPS: https://cps.usertrust.com Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl Authority Information Access: CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt OCSP - URI:http://ocsp.usertrust.com X509v3 Subject Alternative Name: DNS:wiki.debconf.org, DNS:www.wiki.debconf.org Signature Algorithm: sha256WithRSAEncryption 4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4: 7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36: a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92:
Bug#796208: ca-certificates: removal of SPI CA
Raphael Geissert wrote: > Just a bug report to track the removal of the SPI CA. *sigh* > As far as I'm aware of, only the debconf.org websites still use > certificates signed by that CA. So why was the CA then removed already if debconf.org still uses this CA? https://www.debconf.org/ is now reported as broken. And no, it's not only debconf.org: https://mentors.debian.net/ is broken now, too. :-( Do we now need a separate ca-spi package? As it had to be done for CAcert? Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#796208: ca-certificates: removal of SPI CA
Hi, +1 on removal of this CA from the default system trusted CA certificates. I get why back in the day CAcert and similar projects looked like a valid idea, but the CA landscape has changed significantly [0] since then and a CA that does not conform with modern technical and operational procedures should not be included by default (e.g. CA/B baseline requirements [1], RFC3647, certificate transparency [2] et cetera) in any distribution, especially one that's that popular and widely used on servers. This also affects Ubuntu [3].. Thanks, Aaron [0] - https://lwn.net/Articles/663875/ https://lwn.net/Articles/664385/ [1] - https://cabforum.org/baseline-requirements-documents/ [2] - https://www.certificate-transparency.org/how-ct-works [3] - https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/ca-certificates/wily/files/head:/spi-inc.org/ signature.asc Description: Digital signature
Bug#796208: ca-certificates: removal of SPI CA
Package: ca-certificates Version: 20150426 Severity: important Just a bug report to track the removal of the SPI CA. As far as I'm aware of, only the debconf.org websites still use certificates signed by that CA. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net