Browser/OS vendors with ISRG root in their root certificate stores


#1

Hi everyone!
Can anyone point me where I can find the current agreements with OS/browser vendors to add the ISRG root to their trust stores please? I know the LE intermediates are cross-signed with Identrust, but I’d like to see the current progress with vendors.

So far, I have discovered these:

I’m basically trying to create a small timeline on when the vendors will start trusting the ISRG root (so we no longer need IdenTrust to cross-sign).

Thanks in advance.


#2

Hi @Weird,

The earlier thread on this is

I’m not aware of any information which is not included in that thread, though you could ask for updates there.

I think it may be a long time, considering that some people are having a hard time justifying requiring SNI because of the loss of compatibility with IE6 on Windows XP (from 2001).


#3

Debian: Debian stable: ISRG Root X1 included!

Oracle(Java): Let's Encrypt Root CA (ISRG Root X1) now included by default in Oracle's JDK 8u141, 7u151

Hi, any update on that subject? Any known pending inclusion? Any news from Microsoft? From BlackBerry Inclusion of ISRG Root ?


#4

Only about 3½ years are left until the “DST Root CA X3” expires on 2021-09-30. It would be nice to get the ISRG root into the Android certificate store in the near future considering how many Android devices don’t receive regular updates.

Is this the relevant bug? https://bugs.chromium.org/p/chromium/issues/detail?id=531672


#5

I can’t speak for the staff, but it’s highly likely they’ll switch to IdenTrust’s newer root when the time comes to phase out the DST Root CA X3.

The ISRG Root X1 simply won’t have been in browsers an adequate amount of time, even if the stragglers all add them this year. Android is a good example of why: even if they include the certificate in Android P this year, a significant fraction of users will still be on older versions when the certificate expires 3 years later. (Today, 35% of Android users use a 3+ year old version.)


#6

Android:

https://android.googlesource.com/platform/system/ca-certificates/+/android-7.1.1_r15

Yealink phones:

http://support.yealink.com/faq/faqInfo?id=691

Built-in Certificate List
Last modified date: 2017/08/03
Below are certificates which are trusted by Yealink phones as default in a TLS connection:
In Version 71 to version 80, there are 30 built-in certificates in the phone, below are the list:
[…]

  • ISRG Root X1 (intermediate certificates: Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2 are signed by the root certificate ISRG Root X1.)

#7

We are in the following root programs:

  • Mozilla
  • Google Chrome
  • Google Android
  • Apple
  • Oracle (Java)
  • Blackberry

All of these root programs have already shipped our root in their software.

The only program we’re not in yet is Microsoft. When we do get in they have a system for propagating our root very quickly to all Microsoft products, except that we will never be trusted by Windows XP or earlier.


#9

Congratulations!

For Microsoft, the full list can be downloaded there: https://gallery.technet.microsoft.com/Trusted-Root-Program-d17011b8