Related to this bug, nss removed this CA today: nss (2:3.21-1) unstable; urgency=medium
* New upstream release. * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation. 5 years after the transition started, it shouldn't be necessary anymore. * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA. * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file. * debian/libnss3.symbols: Add NSS_3.21 symbol versions. -- Mike Hommey <gland...@debian.org> Wed, 25 Nov 2015 09:18:30 +0900 Between Let's Encrypt and StartCom, I agree that SPI doesn't need to run a CA anymore, especially not a CA that only Debian systems trust. Debian sites should use certificates that all browsers trust, which they can easily do now. - Josh Triplett