I saw that the new intermediates were issued last month, but I was wondering if there is a rough timeline available for when the new intermediate certificates will be put into rotation. Also curious if the new intermediates will be added to the current ones, or if there will be a hard switch.
Ex, period when R3 and R10 / R11 are randomized issuing certs or immediate switch from R3 to only R10 / R11 randomized.
For reference: Trying to push co-workers away from pinning intermediate certs, but they tend to back burner things until there is an EOL on the horizon.
IMHO, they should not pin. Here are two comments from ISRG staff in a semi-recent threat about this. My takeaway is the LE staff have long been eager to start making some architecture changes - both in networking and certificate chaining - and we should expect them to start acting on this quickly after the infrastructure changes.
Yep, both @MikeMcQ and @jvanasco are correct: you should see another announcement from us detailing our plans -- including the date we intend to switch things up -- later this week. And please show these comments from us to your coworkers as encouragement to not pin: it does not provide the security benefits that people hope it does, and it causes breakages when we change our issuance hierarchy.