Any thoughts about that issue? https://github.com/letsencrypt/website/issues/416
@lestaff, does anyone have any thoughts about this as a policy issue? Is there a reason that the IdenTrust root must be downloaded from the IdenTrust site itself? (Maybe it better reassures people that they’re getting the correct file?)
Maybe add a hash verification (for the really paranoid)?
[oh no! I’ve said too much…]
Not sure it will help, because the hash will come from the same source.
And I don’t see a thread model here, but, I feel it’s important to indicate the source of the file so visitors can check it themselves if they need to. But I think it’s equally important that Let’s Encrypt keep control the download too: if the website says you can download the file “there” but “there” is no file…
That’s why my proposal was:
I don’t think there is anything technically or legally preventing us from doing this, but I’d prefer to leave it on their site. I don’t see the duplication as particularly helpful, and it makes organizational associations more clear.
They have a new website now that’s a lot nicer than the old one, fwiw.
But where has the DST X3 root gone to? It’s not literally named on the download page.
It’s hidden behind the “Root Certificate Download” link of the “TrustID X3” section… and it’s a file in p7b format…
I understand, but it means be dependant of that website. I have an alternative proposal:
- the identrust.com website is clearly highlighted as the main source
- but users can still download it if that website changes or if they need it in another format
The only alternative would be something like:
DST Root CA X3 download on identrust.com (hopefully using the “Root Certificate Download” link of the “TrustID X3” section, which is the new commercial name of that root)
Or a direct link to https://www.identrust.com/node/935 (the direct link to the file) but it may be as easily broken and is as close as hosting the file yourself.
But that’s not clear at all!
Also, OpenSSL doesn’t like the file at all too:
osiris@erazer ~ $ openssl pkcs7 -print_certs -in trustidrootx3_chain.p7b unable to load PKCS7 object 139828462591552:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: PKCS7 osiris@erazer ~ $
I wouldn’t mind a “normal” PEM-file on the Let’s Encrypt site…
Uch, tried that for the regular
x509 OpenSSL utility, didn’t try it for the