Again, I think there are good reasons for pinning the certificate (I agree with myself of ~14 months ago). Even better would be to use a certificate generated by a private CA, so there's no third party that can generate a malicious certificate that is trusted by the client. We don't need a third party as Ubuntu "owns" both the sides of the channel to secure (entropy.ubuntu.com:443 and the pollinate package).
As of today the entropy.ubuntu.com is still issues by DigiCert: Certificate chain 0 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 1 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 2 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA and I didn't hear anymore of plans to switch to Letsencrypt, so I'd say that there's nothing to fix here at the moment, but as I may be missing some aspects of this I'm setting the bug status to Incomplete. I'm still willing to work at it, provided that we agree there's something to do! ** Changed in: pollinate (Ubuntu) Assignee: Paride Legovini (paride) => (unassigned) ** Changed in: pollinate (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895714 Title: Investigate and remove CA pinning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1895714/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs