For context, Let’s Encrypt announced this morning that certs issued after July 9th will come with an intermediate cert issued by their own ISRG root, instead of the Identrust cross-signed intermediate: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
The ISRG root has been added to every major trust store, so anyone running an up-to-date OS will be fine. But unfortunately, the Android ecosystem is infamous for short support cycles. Over 50% of users are running a version of Android older than Nougat, meaning they don’t have the ISRG root installed: https://developer.android.com/about/dashboards
Due to Let’s Encrypt’s enormous success, a huge portion of the web will break for these users if you start issuing certs chained to the ISRG root instead of the current DST root. Worse still, this is going to disproportionately impact lower-income users who can’t afford to upgrade.
The blog post mentions the option of replacing the ACME-provided intermediate with the cross-signed one, but realistically, most people just go with the default settings. (And because techies are more likely to have newer phones, they might not notice any problems on their own.) Plus, you might not have that option if your cert is handled by your web host, or by a SAAS provider. I’d be surprised if more than 10% of Let’s Encrypt domains stick with the Identrust root after the July cutover.
I implore you guys to reconsider the timing of this. Maybe wait a year or so to see if the Android situation gets better? Or even get a new cross-signature from a different root? (Not sure how feasible that is, I’m sure cross-signatures from highly-compatible roots aren’t cheap.)