Issue from multiple intermediates during a scheduled transition period?

I agree there. The "Let's Encrypt" is redundant.

3 Likes

It already has happened.

2 Likes

Ah yes, true, that one happened too. I was refering to the upcoming fancy old-Android-compatibility trick.

2 Likes

I still think "Intermediate YYYYMMDD RSA" is far more descriptive than "R3".

The "Intermediate" there is to signify its usage not its structural formality.

2 Likes

I literally had the same thought. It's a key-identifier.

2 Likes

Why is the organization "Internet Security Research Group" for the roots and "Let's Encrypt" for the intermediates?

3 Likes

I don't like the idea of changing intermediaries more often than now.

Our use case includes a cluster of services that communicate with each other. Changing an intermediate means that we have to add the intermediate on each of them before it is really in use, and then restarting all of the services so that they can use them in validation. Only after that extra preparation step, is it safe to start using certs which require the intermediaries. I don't want to do this more often than needed.

1 Like

Well, my thinking is along the same lines as 90-day leaf certificates encouraging automation. If intermediates changed on some more frequent, regular basis, then more people would have that expectation (that they should already be having) that part of their automated processes should be downloading the intermediate/chain and installing that, not just the leaf certificate. (And of course trust stores should just have the roots in them, not the intermediates.)

4 Likes

This thread has departed pretty far from its original topic, but I'll just add two things:

  1. The common name of a certificate is not its whole name. The Subject of "R3" is actually
Subject:
    commonName                = R3
    organizationName          = Let's Encrypt
    countryName               = US

or often shortened inline as O=Let's Encrypt; CN=R3. In our technical communication, we try to be very careful to fully specify exactly what certificate we're talking about (either by describing it in prose, giving that fuller name, or linking to it) before we abbreviate it to just "R3".

  1. There was a period for public comment prior to the issuance of our new hierarchy. That was the time to express concern with the short common names selected -- and in fact some folks did, and were swayed by the arguments of redundancy and saving bytes. At this point, it's probably not really worth rehashing those discussions.

Finally, while I personally like the idea of issuing and changing intermediates on an even shorter timescale, Let's Encrypt isn't committing to do that at this time :slight_smile:

7 Likes