From: zeha@debian.org   
      
   On Sat, Feb 21, 2026 at 06:25:47PM +0100, Simon Josefsson wrote:   
   > Package: ca-certificates   
   > Version: 20250419   
   > Severity: wishlist   
   >   
      
   > Not thinking of any of those CAs specifically, but generally, I wonder   
   > if Debian's users are served by having all of the WebPKI CAs enabled by   
   > default.   
   [..]   
   > One simple criteria could be that the CA supports Certificate   
   > Transparency and offer a public log of all their issued certificates,   
      
   I was going to say that WebPKI already requires that, however it   
   appears this might not be a WebPKI requirement per se, but what the   
   big platforms require (Chrome, Firefox, Apple, Microsoft).   
      
   Having thought that, I spot-checked a few certs from the list, and   
   for a lot of them - indeed they submit data to CT logs.   
      
   > Quoting a recent security update for 'ca-certificates':   
   >   
   > > Mozilla certificate authority bundle was updated to version 2.60   
   > > The following certificate authorities were added (+):   
   [..]   
   > >     + "Security Communication RootCA3"   
      
   This one caught my eye though, and it appears NSS *removed* the cert   
   in 2024, in https://hg-edge.mozilla.org/projects/nss/rev/30e2fd2   
   7da97479c409e3384cc663b15a957714   
      
   I assume Simon quoted the changelog of something like ca-certicates   
   20230311+deb12u1~deb11u1, and not the 20250419 that was given as   
   Version:.   
   I don't quite understand why the LTS project ships certificate   
   bundles from 2023 in 2026 however. That seems like a big disservice   
   to users.   
      
   Chris   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)