Chrome Root Program

tdelmas · October 31, 2020, 5:44pm

From https://www.zdnet.com/article/chrome-will-soon-have-its-own-dedicated-certificate-root-store/ :

Chrome will soon have its own dedicated certificate root store

https://www.chromium.org/Home/chromium-security/root-ca-policy

I suppose Let's Encrypt will ask to be included ?

tdelmas · October 31, 2020, 5:49pm

And, on the same subject, is there a list of status (asked;in process;rejected;included;(not)planned;...) of inclusion to different root stores ? Such as Microsoft Root Program Inclusion Status? ? As Let's Encrypt now has more roots with separate chains, I think it became more important than the simple binary "trusted or not".

Osiris · October 31, 2020, 5:53pm

The Chrome Root Store can be seen here: https://g.co/chrome/root-store

ISRG Root X1 is already part of this "Transitional Root Store", as is the "DST Root CA X3".

I'm not sure if LE is required to do anything at this moment, besides including ISRG Root X2 when the time comes. The "Requesting Inclusing" section literally states: "For Certification Authorities that have not been included as part of this initial Chrome Root Store (…)", so I assume the CAs which are included don't have to apply for inclusion.

orangepizza · November 1, 2020, 3:00am

I wonder why they don't reuse android trust store? running two separate root store in single company is just byzantine

_az · November 1, 2020, 3:50am

edit: oops, I think I probably misinterpreted what you were saying.

Agreed, maybe they will consolidate the two.

Osiris · November 1, 2020, 9:18am

I assume they do, whether or not partly. Their "Transitional Root Store" has come from somewhere, probably also the Android root store.

jple · November 5, 2020, 10:28pm

I am just personally so thrilled about this! It's a big step for Chrome but one in the right direction!

aarongable · November 5, 2020, 11:04pm

To address @tdelmas's second question:

The authoritative answer is each individual root store. You can see the most recent list of participants in Microsoft's root program here: https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT (yes, it includes ISRG Root X1).

We do not maintain a list of which programs our roots are included in, but we do maintain the compatibility page, which is a good proxy for that information. We will be updating the compatibility page with information regarding ISRG Root X2 soon.

tdelmas · November 6, 2020, 9:31am

Thank you @aarongable for that response!

system · December 6, 2020, 9:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Inclusion of ISRG Root	27	20848	November 19, 2020
Microsoft Root Program Inclusion Status? ISRG/Organizational	1	1361	March 26, 2018
Browser/OS vendors with ISRG root in their root certificate stores ISRG/Organizational	8	6689	May 9, 2019
Contact DigiCert CT Log Operators to request inclusion	9	2359	May 10, 2016
Root Inclusion in Mozilla Praise	10	3010	September 7, 2016

Chrome Root Program

Related topics