-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello folks,

I wanted to register a voice of dissent here. I don't think
"embarrassment" justifies breaking people's working and valid
certificates in this way.

This is only barely a security issue - StartCom and WoSign were
being punished for not following the rules.

The reduced trust in their their roots was not caused by any
actual user harm, it was a punitive measure to show the world
that certificate authorities cannot get away with flouting the
rules. All they did was fudge some dates to help their customers
work around issues caused by the forced SHA-1 deprecation. The
browser vendors recognized this and took special care to design
the punishment in a way that wouldn't break existing sites. That
is why there is a cut-off date involved.

Debian's participation in this is not necessary to punish these
vendors; the browsers have that well in hand! I have not seen any
explanation of why this is actually a security concern, as far as
I can tell, all Debian is accomplishing here is to hurt its own
users and innocent third parties.

I am one such party; this impacts me (and my users), because
pagekite (as packaged and shipped by Debian) is connecting to
servers that use an pre-cut-off TLS certificate, a certificate
that has no security issues. Due to complicating factors at my
end (a lot of my users are in an embedded environment where
updates are difficult), it is not easy for me to change
certificates. Others may be in the same boat; I think it's safe
to assume that anyone still using a StartCom cert is doing so
because their circumstance makes migration difficult.

Thanks for listening and thanks for your work on Debian,

 - Bjarni

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJZMZOMAAoJEI4ANxYAz5SRsYcIAJM+hG7/7DCGUpG29z+wtqSt
PyX4e2nQTUnaySXYUpLlDSTYxxQVVaphm4uvY6FwsY27umxqlN7SvFrfylHiiSaV
LyKld7T2N/r0xAB3SfAMY0M3z/3WvADUUolHlsU6ju9RRwBAoNKqVRT/c9BPBsF5
CQW95MgGkMamIGeRgTL8uGBYBuZIEgK7ozHsthXu6jsh7DQWNuSngklTuDulEnhT
zlptlilwl3/9s19NMXmF07nc1b0YFfWtj+SDCZtW2LpyDxoHCOZRnwVkJl7odqag
uQ5ltV24VCuosGQRpaWr4q0PHXkLpbcnDUpPCpzcBSy3pyflPmEFMbGkXDWgZdA=
=B3aE
-----END PGP SIGNATURE-----

Reply via email to