Related to this bug, nss removed this CA today:
nss (2:3.21-1) unstable; urgency=medium
* New upstream release.
* nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation.
5 years after the transition started, it shouldn't be necessary anymore.
* nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA.
* nss/lib/util/secload.c: Fix a warning introduced by our patch to this file.
* debian/libnss3.symbols: Add NSS_3.21 symbol versions.
-- Mike Hommey <gland...@debian.org> Wed, 25 Nov 2015 09:18:30 +0900
Between Let's Encrypt and StartCom, I agree that SPI doesn't need to run a CA
anymore, especially not a CA that only Debian systems trust. Debian sites
should use certificates that all browsers trust, which they can easily do now.
- Josh Triplett
