Identrust root download link


#1

Any thoughts about that issue? https://github.com/letsencrypt/website/issues/416


ZImbra SSL certificate renew
#2

@lestaff, does anyone have any thoughts about this as a policy issue? Is there a reason that the IdenTrust root must be downloaded from the IdenTrust site itself? (Maybe it better reassures people that they’re getting the correct file?)


#3

Maybe add a hash verification (for the really paranoid)?
[oh no! I’ve said too much…]


#4

Not sure it will help, because the hash will come from the same source.

And I don’t see a thread model here, but, I feel it’s important to indicate the source of the file so visitors can check it themselves if they need to. But I think it’s equally important that Let’s Encrypt keep control the download too: if the website says you can download the file “there” but “there” is no file…

That’s why my proposal was:

DST Root CA X3 (download .pem, .p7b or on identrust.com)


#5

I don’t think there is anything technically or legally preventing us from doing this, but I’d prefer to leave it on their site. I don’t see the duplication as particularly helpful, and it makes organizational associations more clear.

They have a new website now that’s a lot nicer than the old one, fwiw.


#6

But where has the DST X3 root gone to? It’s not literally named on the download page.


#7

It’s hidden behind the “Root Certificate Download” link of the “TrustID X3” section… and it’s a file in p7b format…

I understand, but it means be dependant of that website. I have an alternative proposal:

DST Root CA X3 download on identrust.com (or, alternatively, you can download a copy here: .pem, .p7b)

So:

  • the identrust.com website is clearly highlighted as the main source
  • but users can still download it if that website changes or if they need it in another format

The only alternative would be something like:

DST Root CA X3 download on identrust.com (hopefully using the “Root Certificate Download” link of the “TrustID X3” section, which is the new commercial name of that root)

Or a direct link to https://www.identrust.com/node/935 (the direct link to the file) but it may be as easily broken and is as close as hosting the file yourself.


#8

But that’s not clear at all!

Also, OpenSSL doesn’t like the file at all too:

osiris@erazer ~ $ openssl pkcs7 -print_certs -in trustidrootx3_chain.p7b 
unable to load PKCS7 object
139828462591552:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: PKCS7
osiris@erazer ~ $ 

I wouldn’t mind a “normal” PEM-file on the Let’s Encrypt site…


#9

try with -inform der :slight_smile:


#10

Uch, tried that for the regular x509 OpenSSL utility, didn’t try it for the pkcs7 utility. :blush:


#11

@josh I’ve submitted a proposal: https://github.com/letsencrypt/website/pull/446