We’ve applied to the MS and Apple root programs, haven’t heard much from them. I think the issue is that we haven’t published our full operational WebTrust audits yet, they’ll be out soon and then I’ll check in again.
Following my conversation with BlackBerry CEO John Chen yesterday, I received a message from a senior product manager at BlackBerry who is responsible for security product management. He thanked me for bringing this to their attention and says they have reached out to Let’s Encrypt to commence execution of their root certificate integration agreement. They are preparing a new build of their BlackBerry 10 software for Q2 release which the root certificates could be added to. They’re also willing to add the required certs to their custom Android build, which runs the BlackBerry Priv phone. Good news all around – I look forward to seeing Let’s Encrypt recognized by BlackBerry.
Since https://helloworld.letsencrypt.org is still using X1 intermediate it should be easy to add the X1 intermediate signed by ISRG Root X1 to the certificate chain without the need to bring online the root key with a key ceremony.
The root key have to be brought online before May 23 12:00:00 2016 GMT in order to sign the up-to-date CRL (see Signing of the new intermediates). In that date I suppose the root will sign the X3 and X4 intermediates.
The leaf certificate for https://helloworld.letsencrypt.org expire on 29 May 2016 and if it will be renewed 30 days before (i.e. April the 29th, with the X3 intermediate) there will be no test site chaining to ISRG Root X1 between the renewal date and the key ceremony.
In order to always have a test site for the inclusion process I suggest either to delay the automatic renewal of the test site until the key ceremony or to have the key ceremony before the end of April.
Yep, we saw it and we’re going to be configuring helloworld to serve the ISRG Root X1-signed intermediate instead of the DST Root X3-signed intermediate. Thanks for pointing it out!
@jsha I believe there is two unanswered questions in https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/gKCqWRmBQ_8 , is there someone in charge to answer them? To quote the Mozilla representative Kathleen Wilson : “A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted”
I only see one actual question, “answered” (with a question, which makes sense, because the question isn’t very forthcoming) by Richard Barnes, who is affiliated with Let’s Encrypt.
A representative of the CA whose root inclusion request is being discussed must clearly represent their employer and must promptly respond directly in the discussion thread to all questions that are posted.
(emphasis mine)
josh...@gmail.com and jo...@letsencrypt.org (Is that you, @jsha ?) answered two times in that forum. Probably as a representative of Let's Encrypt. I believe the use of the @letsencrypt.org should be prefered, to indicate the representation of the CA, or at least add it in the signature of the message. (Which, by the was, was not signed, and groups.google.com truncate emails...)
Richard’s question is in reply to neg...@gmail.com, it’s not a question for Let’s Encrypt. I think it’s fair enough to ask to clarify what the question is about since it doesn’t contain any details. It’s a public, informal discussion, so I don’t think we’ll need to insist that the CA has to repeat the request for clarification when someone else has already done that.