Debian Bug report logs - #796208
ca-certificates: removal of SPI CA

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ca-certificates: removal of SPI CA

Date: Thu, 20 Aug 2015 12:33:58 +0200

Package: ca-certificates
Version: 20150426
Severity: important

Just a bug report to track the removal of the SPI CA.
As far as I'm aware of, only the debconf.org websites still use
certificates signed by that CA.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #10 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Aaron Zauner <azet@azet.org>

To: 796208@bugs.debian.org

Subject: Re: ca-certificates: removal of SPI CA

Date: Tue, 24 Nov 2015 21:01:50 +0100

[Message part 1 (text/plain, inline)]

Hi,

+1 on removal of this CA from the default system trusted CA
certificates. I get why back in the day CAcert and similar
projects looked like a valid idea, but the CA landscape has changed
significantly [0] since then and a CA that does not conform with
modern technical and operational procedures should not be included
by default (e.g. CA/B baseline requirements [1], RFC3647, certificate
transparency [2] et cetera) in any distribution, especially one
that's that popular and widely used on servers. This also affects
Ubuntu [3]..

Thanks,
Aaron

[0] - https://lwn.net/Articles/663875/
      https://lwn.net/Articles/664385/
[1] - https://cabforum.org/baseline-requirements-documents/
[2] - https://www.certificate-transparency.org/how-ct-works
[3] - https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/ca-certificates/wily/files/head:/spi-inc.org/

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@joshtriplett.org>

To: 796208@bugs.debian.org

Subject: libnss3 removed the SPI CA

Date: Wed, 25 Nov 2015 13:15:41 -0800

Related to this bug, nss removed this CA today:

nss (2:3.21-1) unstable; urgency=medium

  * New upstream release.
  * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation.
    5 years after the transition started, it shouldn't be necessary anymore.
  * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA.
  * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file.
  * debian/libnss3.symbols: Add NSS_3.21 symbol versions.

 -- Mike Hommey <glandium@debian.org>  Wed, 25 Nov 2015 09:18:30 +0900


Between Let's Encrypt and StartCom, I agree that SPI doesn't need to run a CA
anymore, especially not a CA that only Debian systems trust.  Debian sites
should use certificates that all browsers trust, which they can easily do now.

- Josh Triplett

Message #20 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 796208@bugs.debian.org

Subject: Re: Bug#796208: libnss3 removed the SPI CA

Date: Fri, 4 Dec 2015 23:00:06 -0600

Control: tags -1 + pending

On 11/25/2015 03:15 PM, Josh Triplett wrote:
> Related to this bug, nss removed this CA today:

Thanks for the update. I've removed the SPI CA in git, and I'm prepping
an upload to unstable.

http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/commit/?id=12b1983c7f396327302088851251cdb797923c02

-- 
Kind regards,
Michael

Message #27 received at 796208-close@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 796208-close@bugs.debian.org

Subject: Bug#796208: fixed in ca-certificates 20151214

Date: Sun, 20 Dec 2015 10:06:36 +0000

Source: ca-certificates
Source-Version: 20151214

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 796208@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 14 Dec 2015 18:51:50 -0600
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20151214
Distribution: unstable
Urgency: medium
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
Description:
 ca-certificates - Common CA certificates
Closes: 611501 783615 789753 796208
Changes:
 ca-certificates (20151214) unstable; urgency=medium
 .
   * Removed SPI CA.  Closes: #796208
   * debian/{compat,control}:
     Updated d/compat to version 9 and updated Build-Depends.
   * debian/postinst:
     Handle /usr/local/share/ca-certificates permissions and ownership on
     upgrade.  Closes: #611501
   * mozilla/certdata2pem.py:
     Add Python 3 support to ca-certificates.
     Thanks to Andrew Wilcox and Richard Ipsum for the patch!  Closes: #789753
   * sbin/update-ca-certificates:
     Update local certificates directory when calling --fresh.
     Thanks for the patch, Daniel Lutz!  Closes: #783615
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.6.
     The following certificate authorities were added (+):
     + "CA WoSign ECC Root"
     + "Certification Authority of WoSign G2"
     + "Certinomis - Root CA"
     + "OISTE WISeKey Global Root GB CA"
     + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
     + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
     The following certificate authorities were removed (-):
     - "A-Trust-nQual-03"
     - "Buypass Class 3 CA 1"
     - "ComSign Secured CA"
     - "Digital Signature Trust Co. Global CA 1"
     - "Digital Signature Trust Co. Global CA 3"
     - "SG TRUST SERVICES RACINE"
     - "TC TrustCenter Class 2 CA II"
     - "TC TrustCenter Universal CA I"
     - "TURKTRUST Certificate Services Provider Root 1"
     - "TURKTRUST Certificate Services Provider Root 2"
     - "UTN DATACorp SGC Root CA"
     - "Verisign Class 4 Public Primary Certification Authority - G3"
Checksums-Sha1:
 12ebddaa1aae04c9309c71671247a8079e5f9bf5 1405 ca-certificates_20151214.dsc
 c993a9a44cf2bf2d7282699fd0415f2b5d52fa00 293672 ca-certificates_20151214.tar.xz
 6c60f8af11fb8a4378092f40d1b1083f3e95adbb 199574 ca-certificates_20151214_all.deb
Checksums-Sha256:
 07f110fc0d0691ec8c127b052f0ebee65e9f32684868b12735b9d57a7cd9d90f 1405 ca-certificates_20151214.dsc
 59286e6403f482a24c672e09b810c7d089a73153d4772ff4a66e86053a920525 293672 ca-certificates_20151214.tar.xz
 6b84bef92f6f76f96502326437ed5987bd6d852ce025513f6d26655e14910b10 199574 ca-certificates_20151214_all.deb
Files:
 edef46f1bb2d172075ea93b85bf62ded 1405 misc optional ca-certificates_20151214.dsc
 2233bfa64af6f58f5eca9735b6742818 293672 misc optional ca-certificates_20151214.tar.xz
 3ad959fc9ea29346d10667a83b1a563f 199574 misc optional ca-certificates_20151214_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWdnqjAAoJEFb2GnlAHawEnaEH/jLKQINK+cqeHt8vCFI6p65Y
NsJ8lxRQxU6OtRTAuU1ZfeDzPCB8JX73SpAcoQUpf4RVaFei/trUONSIE948wKfB
gZTHOz+PgOckBLzvnTcri8vcOyt3a9Z2b6Ykxmh40WHihI9ibb1hDo+15+HFuGhV
+qUk1yTmfSF0UXtkLQFbV+niWXfphGLKcMGlVgRNsKbiG+tYu1P2d56SzwWY2yjp
uqyK9B2jfAYSSyd5vpLjFTiVvyjo2R2QjnO5tcNco2VGzPshA/eBH1DurEEb+DcD
qSB3oK3X2nFuALV/Js6yu1ik/SkK+M1Zdn/hDhdDv6KR5m68uOfA2BDjYwwR8Cw=
=iZAZ
-----END PGP SIGNATURE-----

Message #32 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Raphael Geissert <geissert@debian.org>, 796208@bugs.debian.org

Subject: Re: Bug#796208: ca-certificates: removal of SPI CA

Date: Sat, 16 Jan 2016 20:54:22 +0100

Raphael Geissert wrote:
> Just a bug report to track the removal of the SPI CA.

*sigh*

> As far as I'm aware of, only the debconf.org websites still use
> certificates signed by that CA.

So why was the CA then removed already if debconf.org still uses this
CA? https://www.debconf.org/ is now reported as broken.

And no, it's not only debconf.org: https://mentors.debian.net/ is
broken now, too. :-(

Do we now need a separate ca-spi package? As it had to be done for
CAcert?

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #37 received at 796208@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Axel Beckert <abe@debian.org>, 796208@bugs.debian.org

Subject: Re: Bug#796208: ca-certificates: removal of SPI CA

Date: Sat, 16 Jan 2016 16:15:03 -0500

Axel Beckert wrote:
> So why was the CA then removed already if debconf.org still uses this
> CA? https://www.debconf.org/ is now reported as broken.

Hi,

If you examine the certificate served by www.debconf.org:443, it has a
common name of wiki.debconf.org, with SANs for wiki.debconf.org and
www.wiki.debconf.org.  It will report as broken regardless of which CAs
are in the ca-certificates package, because the server does not appear
to be configured to correctly serve its www.debconf.org virtual host via
HTTPS.

Also note that the certificate is issued by "Gandi Standard SSL CA 2",
not SPI, Inc.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
        Validity
            Not Before: Jan  1 00:00:00 2016 GMT
            Not After : Jan  1 23:59:59 2017 GMT
        Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=wiki.debconf.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc:
                    2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4:
                    15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63:
                    bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1:
                    ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80:
                    d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86:
                    0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1:
                    5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54:
                    2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32:
                    12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50:
                    71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8:
                    83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b:
                    4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76:
                    48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc:
                    3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f:
                    75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2:
                    85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99:
                    c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57:
                    25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64:
                    12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4:
                    e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71:
                    33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60:
                    2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5:
                    0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c:
                    8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb:
                    f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67:
                    eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e:
                    c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66:
                    82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1:
                    8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d:
                    c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5:
                    06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21:
                    b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0:
                    ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a:
                    ef:0b:6f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

            X509v3 Subject Key Identifier: 
                92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.26
                  CPS: https://cps.usertrust.com
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
                OCSP - URI:http://ocsp.usertrust.com

            X509v3 Subject Alternative Name: 
                DNS:wiki.debconf.org, DNS:www.wiki.debconf.org
    Signature Algorithm: sha256WithRSAEncryption
         4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4:
         7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36:
         a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92:
         f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e:
         02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd:
         68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26:
         29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12:
         0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05:
         f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc:
         f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74:
         c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15:
         73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0:
         94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55:
         2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df:
         95:8e:ef:72

> And no, it's not only debconf.org: https://mentors.debian.net/ is
> broken now, too. :-(

That certificate expires in ~4 months and will need to be replaced soon,
too.

-- 
Robert Edmonds
edmonds@debian.org

Message #42 received at 796208@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Robert Edmonds" <edmonds@debian.org>, 796208@bugs.debian.org

Cc: "Axel Beckert" <abe@debian.org>

Subject: Re: Bug#796208: ca-certificates: removal of SPI CA

Date: Mon, 18 Jan 2016 14:12:29 +0100

On Sat, January 16, 2016 22:15, Robert Edmonds wrote:
> Axel Beckert wrote:
>> So why was the CA then removed already if debconf.org still uses this
>> CA? https://www.debconf.org/ is now reported as broken.
>
> Hi,
>
> If you examine the certificate served by www.debconf.org:443, it has a
> common name of wiki.debconf.org, with SANs for wiki.debconf.org and
> www.wiki.debconf.org.  It will report as broken regardless of which CAs
> are in the ca-certificates package, because the server does not appear
> to be configured to correctly serve its www.debconf.org virtual host via
> HTTPS.
>
> Also note that the certificate is issued by "Gandi Standard SSL CA 2",
> not SPI, Inc.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA
> 2
>         Validity
>             Not Before: Jan  1 00:00:00 2016 GMT
>             Not After : Jan  1 23:59:59 2017 GMT
>         Subject: OU=Domain Control Validated, OU=Gandi Standard SSL,
> CN=wiki.debconf.org
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (4096 bit)
>                 Modulus:
>                     00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc:
>                     2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4:
>                     15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63:
>                     bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1:
>                     ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80:
>                     d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86:
>                     0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1:
>                     5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54:
>                     2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32:
>                     12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50:
>                     71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8:
>                     83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b:
>                     4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76:
>                     48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc:
>                     3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f:
>                     75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2:
>                     85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99:
>                     c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57:
>                     25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64:
>                     12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4:
>                     e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71:
>                     33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60:
>                     2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5:
>                     0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c:
>                     8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb:
>                     f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67:
>                     eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e:
>                     c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66:
>                     82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1:
>                     8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d:
>                     c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5:
>                     06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21:
>                     b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0:
>                     ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a:
>                     ef:0b:6f
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>                 keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA
>
>             X509v3 Subject Key Identifier:
>                 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client
> Authentication
>             X509v3 Certificate Policies:
>                 Policy: 1.3.6.1.4.1.6449.1.2.2.26
>                   CPS: https://cps.usertrust.com
>                 Policy: 2.23.140.1.2.1
>
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>                   URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl
>
>             Authority Information Access:
>                 CA Issuers -
> URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
>                 OCSP - URI:http://ocsp.usertrust.com
>
>             X509v3 Subject Alternative Name:
>                 DNS:wiki.debconf.org, DNS:www.wiki.debconf.org
>     Signature Algorithm: sha256WithRSAEncryption
>          4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4:
>          7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36:
>          a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92:
>          f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e:
>          02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd:
>          68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26:
>          29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12:
>          0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05:
>          f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc:
>          f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74:
>          c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15:
>          73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0:
>          94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55:
>          2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df:
>          95:8e:ef:72
>
>> And no, it's not only debconf.org: https://mentors.debian.net/ is
>> broken now, too. :-(
>
> That certificate expires in ~4 months and will need to be replaced soon,
> too.

Thanks Robert for the explanation.

This decision has not been made by just the package maintainers in
isolation. DSA has made it explicit that they've migrated away from the
SPI CA. Any remaining use is just indicative of a certificate that is in
need of replacement.

Cheers,
Thijs

Send a report that this bug log contains spam.