ECC Intermediate and Root

What’s the current progress for ECC root and intermediate certificate generation? It’s been up in the upcoming features a long time…

Honestly, pinging @lestaff



as ECDSA intermediate will need another cross sign and it will costly, I think they will delay it until they don’t have to cross sign.
by the why does boulder support multiple signing keys?

Why? They can cross sign with their own RSA root, it’s wildly supported (and those who don’t trust it probably don’t support ECC either), no?

android support ecdsa from 4.4ish but LE root only added at 7.1.1 so about 30% of android user will effected

1 Like

But if they don’t generate the EC root and request inclusion to CA programs, they’ll never get a chance to be trusted (in public). It looks to me the first step haven’t started.

Root EC will first be signed with ISRG X1 at first, as it will allow it’d be trusted by anything what trust old key, and wait until EC key is added to root store.
they may be sign it with DST x3 key if need more comparability, but as it only cross-signs RSA intermediates with base constraint of length 0, it will need another contract which will not likely to happen.

Honestly, this one has just been a continual victim of priorities. Planning a key signing ceremony is a big deal and pretty time consuming, and we’ve been busy with bug fixes, new features, and scaling out our service. Sorry it’s taken so long! I definitely appreciate hearing that there’s interest. :smiley:


Do you still agree with the idea of a draft presented to the community before the indefeasible signing ceremony?

From ECDSA Root and Intermediates :


Yep, I do like that idea! Thanks for reminding me of it.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.