Security experts at threat modeling recommended that we check all certificates in the chain for weak signatures (excluding the trusted root certificate).
Need to write an azure function to check how many packages on nuget.org will pass the validation in building certificate chain without excluding the root.
Then decide if it's feasible to implement it.
Security experts at threat modeling recommended that we check all certificates in the chain for weak signatures (excluding the trusted root certificate).
Work item that tracks server-side validation: https://github.com/NuGet/Engineering/issues/1430
/cc @dtivel /cc @PatoBeltran