Again, I think there are good reasons for pinning the certificate (I
agree with myself of ~14 months ago). Even better would be to use a
certificate generated by a private CA, so there's no third party that
can generate a malicious certificate that is trusted by the client. We
don't need a third party as Ubuntu "owns" both the sides of the channel
to secure (entropy.ubuntu.com:443 and the pollinate package).
As of today the entropy.ubuntu.com is still issues by DigiCert:
Certificate chain
0 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
1 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
2 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
CA
and I didn't hear anymore of plans to switch to Letsencrypt, so I'd say
that there's nothing to fix here at the moment, but as I may be missing
some aspects of this I'm setting the bug status to Incomplete. I'm still
willing to work at it, provided that we agree there's something to do!
** Changed in: pollinate (Ubuntu)
Assignee: Paride Legovini (paride) => (unassigned)
** Changed in: pollinate (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1895714
Title:
Investigate and remove CA pinning
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1895714/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
