Inclusion of ISRG Root

Good News in https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
They switched to the next phase :slight_smile:

3 Likes

Did @jsha @schoen @josh or another LE ops see that message : 1204656 - Add ISRG / Let's Encrypt root certificate ?

Kathleen Wilson (Mozilla) said about https://helloworld.letsencrypt.org/ :

I need a test website whose SSL cert chains up to the root cert to be included.

(The current configuration doesn't match that: Helloworld.letsencrypt.org can only find certificate with DST X3 loaded - #2 by pfg)

1 Like

Since https://helloworld.letsencrypt.org is still using X1 intermediate it should be easy to add the X1 intermediate signed by ISRG Root X1 to the certificate chain without the need to bring online the root key with a key ceremony.
The root key have to be brought online before May 23 12:00:00 2016 GMT in order to sign the up-to-date CRL (see Signing of the new intermediates). In that date I suppose the root will sign the X3 and X4 intermediates.
The leaf certificate for https://helloworld.letsencrypt.org expire on 29 May 2016 and if it will be renewed 30 days before (i.e. April the 29th, with the X3 intermediate) there will be no test site chaining to ISRG Root X1 between the renewal date and the key ceremony.
In order to always have a test site for the inclusion process I suggest either to delay the automatic renewal of the test site until the key ceremony or to have the key ceremony before the end of April.

1 Like

Yep, we saw it and we’re going to be configuring helloworld to serve the ISRG Root X1-signed intermediate instead of the DST Root X3-signed intermediate. Thanks for pointing it out!

2 Likes

@jsha Why instead? Just send both.

1 Like

@jsha I believe there is two unanswered questions in https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/gKCqWRmBQ_8 , is there someone in charge to answer them? To quote the Mozilla representative Kathleen Wilson : “A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted”

I only see one actual question, “answered” (with a question, which makes sense, because the question isn’t very forthcoming) by Richard Barnes, who is affiliated with Let’s Encrypt.

I was talking about the questions by reg...@gmail.com and Richard Barnes, but as Richard Barnes is affiliated with LE, my question is pointless.

Sorry, the affiliation of Richard Barnes with Let’s encrypt was not explicit (No signature and the email used was @mozilla.com).

Richard Barnes confirmed he do not talk is the name of Let's Encrypt :
https://twitter.com/rlbarnes/status/728221649003286528

So there is two unanswered question:

Referring to the bug tracker entry, where was a recent violation of BR 4.9.1.1. How will ISRG handle that in future?

https://groups.google.com/d/msg/mozilla.dev.security.policy/gKCqWRmBQ_8/R1zGC0etBgAJ from neg...@gmail.com

And

Could you provide more details of this violation, please?

https://groups.google.com/d/msg/mozilla.dev.security.policy/gKCqWRmBQ_8/pJXpzqKtBgAJ from Richard Barnes.

According to CA/Application Instructions - MozillaWiki :

A representative of the CA whose root inclusion request is being discussed must clearly represent their employer and must promptly respond directly in the discussion thread to all questions that are posted.

(emphasis mine)

josh...@gmail.com and jo...@letsencrypt.org (Is that you, @jsha ?) answered two times in that forum. Probably as a representative of Let's Encrypt. I believe the use of the @letsencrypt.org should be prefered, to indicate the representation of the CA, or at least add it in the signature of the message. (Which, by the was, was not signed, and groups.google.com truncate emails...)

About the issue mentioned by neg...@gmail.com, I believe it was about that:
1204656 - Add ISRG / Let's Encrypt root certificate (Even if it's unclear that there was a violation of the BR)

Richard’s question is in reply to neg...@gmail.com, it’s not a question for Let’s Encrypt. I think it’s fair enough to ask to clarify what the question is about since it doesn’t contain any details. It’s a public, informal discussion, so I don’t think we’ll need to insist that the CA has to repeat the request for clarification when someone else has already done that.

3 Likes

@josh Any update from any root programs? (Mozilla’s is totally public and viewable)

FYI

https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/gKCqWRmBQ_8

Mozilla ✓

@josh Is there any updates about the status of Microsoft and Apple Root Program applications? From BlackBerry? Java?

Is there a page to track progress on these subject ? (If not, https://letsencrypt.org/certificates/ could be a good one!)

Do you plan to apply for any other root program?

1 Like

@tdelmas wasnt java iirc just identrust but not ISRG?

@My1 Yes, I’ve rectify: Inclusion of ISRG Root

When I was building my multiCERT app for BlackBerry 10 which adds full Let’s Encrypt trust to BB10 with just two clicks, a developer support advisor at BlackBerry confirmed to me that LE trust will be built in to OS 10.3.3. Until then you can easily import the needed certificates with my multiCERT app.

Cheers

3 Likes

BlackBerry 10.3.3 is now available for unlocked BlackBerry devices and some carriers are pushing it. More will as we get into 2017.

As you were informed, Let’s Encrypt certificates are recognized by BlackBerry 10 beginning with 10.3.3. Here’s proof:

This website was previously inaccessible on BB10 without a manual certificate import because the cert was not trusted. Now it is accessible and the cert is trusted. Yay!

Nice to see IdenTrust also being trusted on BB, unfortunately it’s not the ISRG root certificate :stuck_out_tongue: But hey, its a step in the right direction for LE.

A post was split to a new topic: Compatibility list for ISRG Root X1?