When people want to release a consumer product including “ISRG Root X1”, is there any condition to be concerned? For example, some contracts is required to be made between a company which wants to use the root certificate and ISRG before using the certificate. Do you have such condition?
There are no contractual requirements, but I have some strong recommendations:
Don’t include solely ISRG Root X1 in your product’s trust store. You should include a variety of trusted roots in case for some reason ISRG Root X1 becomes unavailable to you. This was a major source of problems in the industry transition away from SHA-1 because many consumer devices hard hard-coded a single Symantec root.
In general if you are shipping a product that has a trust store, you should consider yourself to be operating a root program with all the work and responsibilities that entails. If your product runs on an operating system, and that operating system has its own root store, it’s generally better to use the OS root store.
If you’re shipping your own OS, it’s critically important that you be able to ship automated updates in a timely fashion, including updates to the trust store.