Hi. As one can see in the URL I linked (<https://blog.startcom.org/?p=145>, just in case I messed it up), certificates issued by comodo resellers obviously can't be trusted, and therefore I think these certificates should be removed from ca-certificates (or at least from /etc/ca-certificates.com) and all other packages containing certificates. Reproducible: Always Steps to Reproduce:
The incident is discussed upstream at this Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=470897
AFAICT it's maintained directly by Debian, cc'ing base-system for advice.
yes, it's maintained by debian, so i would file a bug at bugs.debian.org (if one hasnt been already)
unless i missed something, i dont think people have explicitly listed the comodo certs by serial. we could punt all that have "comodo" in their name, but that doesnt sound like a complete solution.
*** Bug 421081 has been marked as a duplicate of this bug. ***
I'm nearly shocked cause all comodo certs are in both firefox and chromium. So as in IE. What's happening? Why do the most popular browsers have comodo certs and most popular linux distros doesn't?
@base-system: any news? is there anything to do here?
no idea. would have to check to see if debian updated things. if not, then we haven't either.
ca-certificates is merely the mozilla's nss database in disguise. if we're serious about getting certs removed, you should lobby mozilla. i'd note that updating just ca-certificates won't help: nss itself still will have the certs in its own ca database, as will firefox.