Let's Encrypt new hierarchy plans

The elephant in the room. After the DST Root CA X3 expires in September 2021, are there any other root CA’s you could get a cross signature from to bridge trust with legacy clients?

Cheers

3 Likes

i thought the new version of the APIs suggest that you get the intermediate from the API call rather than hard coding it. This was always a challenge with client implementations hard coding intermediates.

1 Like

ACME has always specified that clients get the intermediates via API call. However, ACMEv1 required additional API requests to get the intermediates, leading some clients to hard-code it instead. In ACMEv2, the certificate is delivered as part of a PEM response that also includes any intermediates needed. Hopefully this has made getting intermediates via the API the “easy path.”

This is a good idea, thanks. We’re discussing internally our options for shorter URLs, and I’ll also think about options for naming improvements. One thing to note here is that organizationName is required per BRs § 7.1.4.3.1, and that will contain “Let’s Encrypt,” so including that string a second time in commonName is redundant - the commonName could be just “Y3.”

Thanks to everyone on the feedback about P-256 vs P-384. I’m convinced to go with P-384 for the root and all intermediates, and will update the top post correspondingly.

1 Like

However, the intent as I understand it is to obtain cross-signatures for the Y3 and Y4 certificates so it will be necessary to be sure IdenTrust is comfortable with the choice of names, the BR rule just says these CNs must be unique under the signing root (and I doubt IdenTrust has ever wanted to sign any other certificates named Y3 or Y4) but it will be slightly less obvious in that context. For that reason it may end up not making sense to use the shortened names on the Y3 / Y4 certificates.

Also, though I agree that one byte saved times one million web sites times one million views = 1 Terabyte of data transmission averted, so this is worth some effort - https://datatracker.ietf.org/doc/draft-ietf-tls-certificate-compression/ is sat in the RFC editor’s queue. So it’s more valuable to shave off bytes that don’t get compressed away by ZStd or Brotli or whatever is chosen than ASCII text that may in practice be compressed on the wire between real clients and servers in the not-too-distant future. But hey, if it’s not there we don’t need to compress it.

3 Likes

You may want to run the proposal of the “Y3” CN by Mozilla, as they do require meaningful O and CN values: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Generic_Names_for_CAs. My opinion is that “Y3” isn’t meaningful to a RP, but the root store reps might have a different take.

3 Likes

I don’t claim to speak for Kathleen or on behalf of the Mozilla Root Program, but I do think the X -> Y hierarchy is fine. That practice is due to me having to write release note entries with totally ambiguous names, requiring whole X.500 distinguished names or fingerprints to avoid ambiguity in what is supposed to be human-readable text, like this one from last week: image (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes)

4 Likes

I think this is something quite interesting and worth discovering.

http://ocsp.int-x3.letsencrypt.org is not excessively long, but perhaps a short domain and a URL (pki.goog-akin) would be fantastic if not far fetched for the browsers.

1 Like

Any update when ECC will be available?

1 Like

In my opinion new ECDSA intermediates should be cross-signed by DST Root.
There are some LE users (including me, 2000+ certs) who already use ECDSA certs (signed with current RSA interintermediates) and need trust for older android devices.
Without cross-sign only way to support those older devices in my case would be switch back to RSA certs - yes, it’s easy, but why not treat ECDSA and RSA equally?

2 Likes

Thanks everyone for the great feedback here. I’ve started a new thread with our almost-final plans: Detailed 2020 hierarchy. This includes demo .pem files and openssl -text output showing the exact certificate profiles.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.