Getting cross-certified only once more to avoid disruption to a large number of Android users?

In https://letsencrypt.org/2020/11/06/own-two-feet.html, you say:

Can we get another cross-signature? We’ve explored this option and it seems unlikely. ... , the Android update problem doesn’t seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.

But maybe you could consider to get a new (and the last) cross-signature from a root CA that expires far from now, e.g. after 2030, when possibly the market share for Android <7.1 lowers considerably from 33.8% and their traffic gets from 1-5% to some (hopefully) negligible value (the numbers in the previous paragraph come from your article).

So, if any root CA is willing to assume the risk that involves signing a cross certificate for LE, would you be willing to re-explore this option?.

I believe it's exactly this what you're suggesting?

I am wondering if the LE team is willing to re-explore/reconsider the cross signature option as the alternative that would provide the least disruption to end users.

I think ISRG wouldn't have budget to buy another cross sign cert, because if an CA gives a cross sign, it get audit requirement for child CA too, when they first sign it was small and get though, but after it launched due to shear load of certificate will make price $1M /year range. (LE payed $0.30M in 2017 for audit and $0.35M for legal fee) so they couldn't sweeten the deal enough.

2 Likes

@orangepizza that would be a totally good reason not to go that road.

But, would it be possible to get an official confirmation on this being the reason to not seek the option of getting a new cross certificate?.

Without calling names (this is a LE forum and I don't want to advertise), there are other free certificate authorities out there supporting ACME and serving a highly compatible chain that you could consider using, if compatibility with legacy clients is a major concern for you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.