Issue from multiple intermediates during a scheduled transition period?

griffin · January 9, 2021, 8:53pm

I agree there. The "Let's Encrypt" is redundant.

griffin · January 9, 2021, 8:55pm

It already has happened.

Osiris · January 9, 2021, 8:56pm

Ah yes, true, that one happened too. I was refering to the upcoming fancy old-Android-compatibility trick.

griffin · January 9, 2021, 8:57pm

I still think "Intermediate YYYYMMDD RSA" is far more descriptive than "R3".

The "Intermediate" there is to signify its usage not its structural formality.

griffin · January 9, 2021, 9:23pm

I literally had the same thought. It's a key-identifier.

griffin · January 9, 2021, 9:27pm

Why is the organization "Internet Security Research Group" for the roots and "Let's Encrypt" for the intermediates?

oseibert · January 12, 2021, 4:18pm

I don't like the idea of changing intermediaries more often than now.

Our use case includes a cluster of services that communicate with each other. Changing an intermediate means that we have to add the intermediate on each of them before it is really in use, and then restarting all of the services so that they can use them in validation. Only after that extra preparation step, is it safe to start using certs which require the intermediaries. I don't want to do this more often than needed.

petercooperjr · January 12, 2021, 4:32pm

Well, my thinking is along the same lines as 90-day leaf certificates encouraging automation. If intermediates changed on some more frequent, regular basis, then more people would have that expectation (that they should already be having) that part of their automated processes should be downloading the intermediate/chain and installing that, not just the leaf certificate. (And of course trust stores should just have the roots in them, not the intermediates.)

aarongable · January 12, 2021, 8:31pm

This thread has departed pretty far from its original topic, but I'll just add two things:

The common name of a certificate is not its whole name. The Subject of "R3" is actually

Subject:
    commonName                = R3
    organizationName          = Let's Encrypt
    countryName               = US

or often shortened inline as O=Let's Encrypt; CN=R3. In our technical communication, we try to be very careful to fully specify exactly what certificate we're talking about (either by describing it in prose, giving that fuller name, or linking to it) before we abbreviate it to just "R3".

There was a period for public comment prior to the issuance of our new hierarchy. That was the time to express concern with the short common names selected -- and in fact some folks did, and were swayed by the arguments of redundancy and saving bytes. At this point, it's probably not really worth rehashing those discussions.

Finally, while I personally like the idea of issuing and changing intermediates on an even shorter timescale, Let's Encrypt isn't committing to do that at this time

system · February 11, 2021, 8:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.