On Fri, 4 Dec 2015 23:36:57 -0600 Michael Shuler <mich...@pbandjelly.org> wrote: > Hi release team, > > I just requested an upload of ca-certificates (20151204) to unstable, > and I would like to follow that up with stable-pu and oldstable-pu > updates to include the current Mozilla CA bundle changes for jessie > and wheezy.
Hi Michael, I'm curious why the 2.6 update wasn't included with the 20151204 release. I've been told that one of the roots that was removed in the 2.6 update is going to be used by the CA to issue certificates that violate the Baseline Requirements[1]. It would be nice for Debian to stop trusting it before the CA starts doing this. Thanks, Andrew [1] This root is in addition to the Symantec root I mentioned in #721976. Indeed, multiple CAs are doing this, which underscores the need for timely root store updates.
