Microsoft says: "The Microsoft Trusted Root Certificate Program releases changes to our Root Store on a monthly cadence, except for December." However, that's written on an aka.ms page (ie it should be linking to current material) with a list of updates and yet it was issued once in February and has never been updated since. So it may be reasonable to take with a grain of salt the "commitment" from Microsoft to obey this policy.
3 Likes
I find that MS continues to be extremely lazy and won't show the ISRG Root X2 cert in the trusted store until it has been accessed (at least in my case, directly).
I simply opened the cert and it then immediately showed in the trusted store (without any install).
https://crt.sh/?d=69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470
5 Likes
Is there any beta test for ISRG Root X2
2 Likes
What do you mean "beta test"?
It is in full production already.
4 Likes
My cert is from X3 > R3 > Domain ? I requested ECDSA cert and thats what I got.
For now you have to request be allow-listed for ECDSA, see:
2 Likes
OK, I think I understand you now.
I think that any new certs must now be avoiding the soon to be expiring DST Root CA X3.
But your browser may still show it (while it is still valid).
4 Likes
Mozilla has started the public discussion phase regarding the inclusion of ISRG Root X2:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/bE_aRuWxCAAJ
This is an important step in Mozillas inclusion process.
8 Likes
The public discussion at Mozilla is over, the current status is "Intent to Approve":
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/t1JxqeZ8AwAJ
10 Likes
The ISRG Root X2 certificate has been formally accepted by Mozilla, and should appear in the next NSS release.
NSS inclusion request: 1738805 - Add ISRG Root X2 root certificate to NSS
14 Likes
Hopefully beginning of 2022 we can start using X2
3 Likes
Is there any public status available for the Apple, Google, and Oracle root programs?
6 Likes
I haven't seen any kind of "publicy visible inclusion process" for most root programs (well, except Mozilla). If there is I would like to know as well.
The current status as I can verify it is:
- Apple: Based on latest sources available from Apple (macOS 11.5 currently), ISRG Root X2 is not included.
- Google: Seems to not have updated its public list since the initial proposal(s) in 2020.
- Oracle: Latest source code does not include it.
7 Likes
I know you're busy and not everyone is available at all times, but you're aware that Mozilla is currently blocked waiting for your input?
8 Likes
We are aware of this, thank you.
7 Likes
Root X2 seems to have been included in the Microsoft and Google root programs at some point recently. Can't say exactly when for lack of transparency in their processes.
2 Likes
while I don't know about MS root, ISRG root X2 didn't land on android 12, as they only do CA store update on android release I think it'd be like android 13 or somthing until it will land on android.
https://android.googlesource.com/platform/system/ca-certificates/+/8db75df6bd335760ddb36db92463ce2d236d3916
there is no ISRG update there and if you look up newest commit you will find no ISRG root x2 in there too.
6 Likes
Microsoft including ISRG Root X2 has been reported already:
About Google:
That's a bit complicated, because there is no uniform "Google Root Program". There are various trust stores used on their products, for example the trust store used on Android. Censys lists "Google CT" under trust, which are the certificates accepted by their CT log backends. The latter seems to include ISRG Root X2 now, yes. I imagine that these trust stores are run independently by independent departments.
There's a root program run by Google, the Chrome Root Program. But that is still in development and little is known about it.
7 Likes
Wonderful news! Correct me if I'm wrong, it looks like it'll arrive in the next branch release of NSS on 1/6/2022 in v3.74, meaning it'll land in Nightly immediately after and Firefox 97 stable on February 8.
1 Like