The DST Root CA X3 from IdenTrust which leads to trust for Let´s Encrypt in desktop and mobile browsers expire at 30.09.2021.
The own root certificate from letsencrypt is to new to be trusted from the majority of browsers and devices.
What is the idea for compatibility after this date? Especially for websites that have to ensure that customers can use their sites even with older equipment.
Amazon made a good deal with buying Starfield and their root - expiring 01.01.2038 - and trusted even in Windows XP SP3.
Is something similar in prospect for LE? Is IdenTrust holding another old root certificate?
I see no reason to believe that Let’s Encrypt are definitely dropping XP support in 3 years.
If cross-signing is still required for compatibility reasons, then, as already mentioned, Identrust has other certificates available. After all, rotation of intermediates is a fairly routine matter, and the current Let’s Encrypt X3 intermediate will be expired before the DST root is.
Cloudflare only works with SNI - therefore not on old visitor-hardware. And they have other restrictions on the issues of testing new technologies, so that they later work for business accounts.
Do you blame Let´s Encrypt for choosing such an old root for cross-signing. The DST Root CA X3 is from 2000 - near at the beginning of active usage of the Internet.
The Starfield for instance is from 2008. A wide range of root certificates from big CAs are issued around 2008.
But you think the LE Root is to old?
Perhaps you read my post and figure out the actual question.
And think twice: the target of LE is not only to be there for hobby projects, Owncloud, Nextcloud, private picture gallerys, internet routers .... The mission is "to get to a 100% encrypted Web".
Read some statements from them. Really do that.
And there fast growing market share at DV certificates will have consequencences ...
Can a CA live on EV and OV certificates? Journals in my country say no.
And another cash cow the wildcard market beginns to disappear in some days.
Oh I think you don´t need to earn your money (Sorry if I am wrong). LE is not free, it costs money but not your money it´s the money from them. Or would you work for free? Consider you have to pay your rent ...
And because LE is free for you and for me, it´s not allowed to ask a question? Just Sponsors should be allowed to ask questions?
IdenTrust has two others. Both starting 2014, the root from LE started 2015, so cross-signing makes no sense.
I think your question is legitimate, but I think it’s too early to be sure of what options are available to Let’s Encrypt, in terms of which roots may be available to sign a future LE intermediate, and how much backward compatibility can be achieved. Nor do I think it’s too early to ask the question—but it might be too early to answer the question.
I’ll invite @josh to comment on this, but I wouldn’t be surprised if the answer is “we’ll have to continue researching and discussing this before making an announcement”.
I think being aware of upcoming events that can affect software compatibility is very useful; after all, we don’t want to be taken by surprise with little or no time to act.