Ubuntu
ca-certificates package

ca-certificates in xenial still trusts CNNIC

Bug #1643379 reported by Philipp Kern
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

CNNIC has been distrusted by Mozilla in April 2015 (https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/). The technical implementation involves blacklisting by notBefore date, which is unfortunately not replicatable by ca-certificates. There should be some kind of action here of pulling the root certificate at some point rather than continue to provide it with blanket trust. (And it's only one example, Startcom and Wosign are more recent ones.)

Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.