-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello folks,
I wanted to register a voice of dissent here. I don't think "embarrassment" justifies breaking people's working and valid certificates in this way. This is only barely a security issue - StartCom and WoSign were being punished for not following the rules. The reduced trust in their their roots was not caused by any actual user harm, it was a punitive measure to show the world that certificate authorities cannot get away with flouting the rules. All they did was fudge some dates to help their customers work around issues caused by the forced SHA-1 deprecation. The browser vendors recognized this and took special care to design the punishment in a way that wouldn't break existing sites. That is why there is a cut-off date involved. Debian's participation in this is not necessary to punish these vendors; the browsers have that well in hand! I have not seen any explanation of why this is actually a security concern, as far as I can tell, all Debian is accomplishing here is to hurt its own users and innocent third parties. I am one such party; this impacts me (and my users), because pagekite (as packaged and shipped by Debian) is connecting to servers that use an pre-cut-off TLS certificate, a certificate that has no security issues. Due to complicating factors at my end (a lot of my users are in an embedded environment where updates are difficult), it is not easy for me to change certificates. Others may be in the same boat; I think it's safe to assume that anyone still using a StartCom cert is doing so because their circumstance makes migration difficult. Thanks for listening and thanks for your work on Debian, - Bjarni -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJZMZOMAAoJEI4ANxYAz5SRsYcIAJM+hG7/7DCGUpG29z+wtqSt PyX4e2nQTUnaySXYUpLlDSTYxxQVVaphm4uvY6FwsY27umxqlN7SvFrfylHiiSaV LyKld7T2N/r0xAB3SfAMY0M3z/3WvADUUolHlsU6ju9RRwBAoNKqVRT/c9BPBsF5 CQW95MgGkMamIGeRgTL8uGBYBuZIEgK7ozHsthXu6jsh7DQWNuSngklTuDulEnhT zlptlilwl3/9s19NMXmF07nc1b0YFfWtj+SDCZtW2LpyDxoHCOZRnwVkJl7odqag uQ5ltV24VCuosGQRpaWr4q0PHXkLpbcnDUpPCpzcBSy3pyflPmEFMbGkXDWgZdA= =B3aE -----END PGP SIGNATURE-----