Browser/OS vendors with ISRG root in their root certificate stores


#1

Hi everyone!
Can anyone point me where I can find the current agreements with OS/browser vendors to add the ISRG root to their trust stores please? I know the LE intermediates are cross-signed with Identrust, but I’d like to see the current progress with vendors.

So far, I have discovered these:

I’m basically trying to create a small timeline on when the vendors will start trusting the ISRG root (so we no longer need IdenTrust to cross-sign).

Thanks in advance.


#2

Hi @Weird,

The earlier thread on this is

I’m not aware of any information which is not included in that thread, though you could ask for updates there.

I think it may be a long time, considering that some people are having a hard time justifying requiring SNI because of the loss of compatibility with IE6 on Windows XP (from 2001).


#3

Debian: Debian stable: ISRG Root X1 included!

Oracle(Java): Let's Encrypt Root CA (ISRG Root X1) now included by default in Oracle's JDK 8u141, 7u151

Hi, any update on that subject? Any known pending inclusion? Any news from Microsoft? From BlackBerry Inclusion of ISRG Root ?


#4

Only about 3½ years are left until the “DST Root CA X3” expires on 2021-09-30. It would be nice to get the ISRG root into the Android certificate store in the near future considering how many Android devices don’t receive regular updates.

Is this the relevant bug? https://bugs.chromium.org/p/chromium/issues/detail?id=531672


#5

I can’t speak for the staff, but it’s highly likely they’ll switch to IdenTrust’s newer root when the time comes to phase out the DST Root CA X3.

The ISRG Root X1 simply won’t have been in browsers an adequate amount of time, even if the stragglers all add them this year. Android is a good example of why: even if they include the certificate in Android P this year, a significant fraction of users will still be on older versions when the certificate expires 3 years later. (Today, 35% of Android users use a 3+ year old version.)