subject:"Bug#796208\: ca\-certificates\: removal of SPI CA"

Bug#796208: ca-certificates: removal of SPI CA

2016-01-18 Thread Thijs Kinkhorst

On Sat, January 16, 2016 22:15, Robert Edmonds wrote:
> Axel Beckert wrote:
>> So why was the CA then removed already if debconf.org still uses this
>> CA? https://www.debconf.org/ is now reported as broken.
>
> Hi,
>
> If you examine the certificate served by www.debconf.org:443, it has a
> common name of wiki.debconf.org, with SANs for wiki.debconf.org and
> www.wiki.debconf.org.  It will report as broken regardless of which CAs
> are in the ca-certificates package, because the server does not appear
> to be configured to correctly serve its www.debconf.org virtual host via
> HTTPS.
>
> Also note that the certificate is issued by "Gandi Standard SSL CA 2",
> not SPI, Inc.
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA
> 2
> Validity
> Not Before: Jan  1 00:00:00 2016 GMT
> Not After : Jan  1 23:59:59 2017 GMT
> Subject: OU=Domain Control Validated, OU=Gandi Standard SSL,
> CN=wiki.debconf.org
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (4096 bit)
> Modulus:
> 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc:
> 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4:
> 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63:
> bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1:
> ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80:
> d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86:
> 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1:
> 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54:
> 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32:
> 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50:
> 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8:
> 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b:
> 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76:
> 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc:
> 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f:
> 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2:
> 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99:
> c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57:
> 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64:
> 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4:
> e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71:
> 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60:
> 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5:
> 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c:
> 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb:
> f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67:
> eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e:
> c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66:
> 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1:
> 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d:
> c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5:
> 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21:
> b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0:
> ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a:
> ef:0b:6f
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> 
> keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA
>
> X509v3 Subject Key Identifier:
> 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 Certificate Policies:
> Policy: 1.3.6.1.4.1.6449.1.2.2.26
>   CPS: https://cps.usertrust.com
> Policy: 2.23.140.1.2.1
>
> X509v3 CRL Distribution Points:
>
> Full Name:
>   URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl
>
> Authority Information Access:
> CA Issuers -
> URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
> OCSP - URI:http://ocsp.usertrust.com
>
> X509v3 Subject Alternative Name:
> DNS:wiki.debconf.org, DNS:www.wiki.debconf.org
> Signature Algorithm: sha256WithRSAEncryption
>

Bug#796208: ca-certificates: removal of SPI CA

2016-01-16 Thread Robert Edmonds

Axel Beckert wrote:
> So why was the CA then removed already if debconf.org still uses this
> CA? https://www.debconf.org/ is now reported as broken.

Hi,

If you examine the certificate served by www.debconf.org:443, it has a
common name of wiki.debconf.org, with SANs for wiki.debconf.org and
www.wiki.debconf.org.  It will report as broken regardless of which CAs
are in the ca-certificates package, because the server does not appear
to be configured to correctly serve its www.debconf.org virtual host via
HTTPS.

Also note that the certificate is issued by "Gandi Standard SSL CA 2",
not SPI, Inc.

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
Validity
Not Before: Jan  1 00:00:00 2016 GMT
Not After : Jan  1 23:59:59 2017 GMT
Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, 
CN=wiki.debconf.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc:
2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4:
15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63:
bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1:
ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80:
d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86:
0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1:
5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54:
2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32:
12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50:
71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8:
83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b:
4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76:
48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc:
3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f:
75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2:
85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99:
c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57:
25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64:
12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4:
e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71:
33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60:
2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5:
0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c:
8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb:
f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67:
eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e:
c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66:
82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1:
8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d:
c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5:
06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21:
b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0:
ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a:
ef:0b:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier: 

keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

X509v3 Subject Key Identifier: 
92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage: 
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies: 
Policy: 1.3.6.1.4.1.6449.1.2.2.26
  CPS: https://cps.usertrust.com
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points: 

Full Name:
  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

Authority Information Access: 
CA Issuers - 
URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
OCSP - URI:http://ocsp.usertrust.com

X509v3 Subject Alternative Name: 
DNS:wiki.debconf.org, DNS:www.wiki.debconf.org
Signature Algorithm: sha256WithRSAEncryption
 4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4:
 7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36:
 a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92:

Bug#796208: ca-certificates: removal of SPI CA

2016-01-16 Thread Axel Beckert

Raphael Geissert wrote:
> Just a bug report to track the removal of the SPI CA.

*sigh*

> As far as I'm aware of, only the debconf.org websites still use
> certificates signed by that CA.

So why was the CA then removed already if debconf.org still uses this
CA? https://www.debconf.org/ is now reported as broken.

And no, it's not only debconf.org: https://mentors.debian.net/ is
broken now, too. :-(

Do we now need a separate ca-spi package? As it had to be done for
CAcert?

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#796208: ca-certificates: removal of SPI CA

2015-11-24 Thread Aaron Zauner

Hi,

+1 on removal of this CA from the default system trusted CA
certificates. I get why back in the day CAcert and similar
projects looked like a valid idea, but the CA landscape has changed
significantly [0] since then and a CA that does not conform with
modern technical and operational procedures should not be included
by default (e.g. CA/B baseline requirements [1], RFC3647, certificate
transparency [2] et cetera) in any distribution, especially one
that's that popular and widely used on servers. This also affects
Ubuntu [3]..

Thanks,
Aaron

[0] - https://lwn.net/Articles/663875/
  https://lwn.net/Articles/664385/
[1] - https://cabforum.org/baseline-requirements-documents/
[2] - https://www.certificate-transparency.org/how-ct-works
[3] - 
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/ca-certificates/wily/files/head:/spi-inc.org/



signature.asc
Description: Digital signature

Bug#796208: ca-certificates: removal of SPI CA

2015-08-20 Thread Raphael Geissert

Package: ca-certificates
Version: 20150426
Severity: important

Just a bug report to track the removal of the SPI CA.
As far as I'm aware of, only the debconf.org websites still use
certificates signed by that CA.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Bug#796208: ca-certificates: removal of SPI CA

Bug#796208: ca-certificates: removal of SPI CA

Bug#796208: ca-certificates: removal of SPI CA

Bug#796208: ca-certificates: removal of SPI CA

Bug#796208: ca-certificates: removal of SPI CA

5 matches

Site Navigation

Mail list logo

Footer information