Hi everyone!
Can anyone point me where I can find the current agreements with OS/browser vendors to add the ISRG root to their trust stores please? I know the LE intermediates are cross-signed with Identrust, but I’d like to see the current progress with vendors.
I'm not aware of any information which is not included in that thread, though you could ask for updates there.
I think it may be a long time, considering that some people are having a hard time justifying requiring SNI because of the loss of compatibility with IE6 on Windows XP (from 2001).
Only about 3½ years are left until the “DST Root CA X3” expires on 2021-09-30. It would be nice to get the ISRG root into the Android certificate store in the near future considering how many Android devices don’t receive regular updates.
I can’t speak for the staff, but it’s highly likely they’ll switch to IdenTrust’s newer root when the time comes to phase out the DST Root CA X3.
The ISRG Root X1 simply won’t have been in browsers an adequate amount of time, even if the stragglers all add them this year. Android is a good example of why: even if they include the certificate in Android P this year, a significant fraction of users will still be on older versions when the certificate expires 3 years later. (Today, 35% of Android users use a 3+ year old version.)
Built-in Certificate List
Last modified date: 2017/08/03
Below are certificates which are trusted by Yealink phones as default in a TLS connection:
In Version 71 to version 80, there are 30 built-in certificates in the phone, below are the list:
[...]
ISRG Root X1 (intermediate certificates: Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2 are signed by the root certificate ISRG Root X1.)
All of these root programs have already shipped our root in their software.
The only program we’re not in yet is Microsoft. When we do get in they have a system for propagating our root very quickly to all Microsoft products, except that we will never be trusted by Windows XP or earlier.