*** This bug is a security vulnerability *** Public security bug reported:
CNNIC has been distrusted by Mozilla in April 2015 (https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic- certificates/). The technical implementation involves blacklisting by notBefore date, which is unfortunately not replicatable by ca- certificates. There should be some kind of action here of pulling the root certificate at some point rather than continue to provide it with blanket trust. (And it's only one example, Startcom and Wosign are more recent ones.) ** Affects: ca-certificates (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643379 Title: ca-certificates in xenial still trusts CNNIC To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1643379/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs