Chrome Root Program

From https://www.zdnet.com/article/chrome-will-soon-have-its-own-dedicated-certificate-root-store/ :

Chrome will soon have its own dedicated certificate root store

I suppose Let's Encrypt will ask to be included ? :slightly_smiling_face:

5 Likes

And, on the same subject, is there a list of status (asked;in process;rejected;included;(not)planned;...) of inclusion to different root stores ? Such as Microsoft Root Program Inclusion Status? ? As Let's Encrypt now has more roots with separate chains, I think it became more important than the simple binary "trusted or not".

2 Likes

The Chrome Root Store can be seen here: https://g.co/chrome/root-store

ISRG Root X1 is already part of this "Transitional Root Store", as is the "DST Root CA X3".

I'm not sure if LE is required to do anything at this moment, besides including ISRG Root X2 when the time comes. The "Requesting Inclusing" section literally states: "For Certification Authorities that have not been included as part of this initial Chrome Root Store (…)", so I assume the CAs which are included don't have to apply for inclusion.

4 Likes

I wonder why they don't reuse android trust store? running two separate root store in single company is just byzantine

3 Likes

edit: oops, I think I probably misinterpreted what you were saying.

Agreed, maybe they will consolidate the two.

1 Like

I assume they do, whether or not partly. Their "Transitional Root Store" has come from somewhere, probably also the Android root store.

3 Likes

I am just personally so thrilled about this! It's a big step for Chrome but one in the right direction!

4 Likes

To address @tdelmas's second question:

The authoritative answer is each individual root store. You can see the most recent list of participants in Microsoft's root program here: https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT (yes, it includes ISRG Root X1).

We do not maintain a list of which programs our roots are included in, but we do maintain the compatibility page, which is a good proxy for that information. We will be updating the compatibility page with information regarding ISRG Root X2 soon.

8 Likes

Thank you @aarongable for that response!

1 Like