ISRG Root X1 in Consumer Devices

Hi everyone,

When people want to release a consumer product including “ISRG Root X1”, is there any condition to be concerned? For example, some contracts is required to be made between a company which wants to use the root certificate and ISRG before using the certificate. Do you have such condition?

Best Regards,

I'm not aware of any conditions around this.

@josh Is there anything to be aware of here?

You are welcome to distribute our root certificate unmodified on a nonexclusive and royalty-free basis. No contract is required.

5 Likes

@cpu, @josh

Thank you for your reply.
I understand that there is no condition to introduce the root certificate into consumer products.

1 Like

Hi @kimoto,

There are no contractual requirements, but I have some strong recommendations:

  • Don’t include solely ISRG Root X1 in your product’s trust store. You should include a variety of trusted roots in case for some reason ISRG Root X1 becomes unavailable to you. This was a major source of problems in the industry transition away from SHA-1 because many consumer devices hard hard-coded a single Symantec root.
  • In general if you are shipping a product that has a trust store, you should consider yourself to be operating a root program with all the work and responsibilities that entails. If your product runs on an operating system, and that operating system has its own root store, it’s generally better to use the OS root store.
  • If you’re shipping your own OS, it’s critically important that you be able to ship automated updates in a timely fashion, including updates to the trust store.
4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.