4.1.2 Root CA Succession Planning
CA Owners SHOULD request for the replacement of a certificate included in the Chrome Root Store no later than 5 years after the release date of the Chrome Root Store's initial inclusion of the certificate.
….
The CA certificate being replaced will be removed from the Chrome Root Store upon the absence of unexpired and unrevoked TLS server authentication certificates
Chrome will remove X1/X2 once YR/YE are trusted and all certificates have been replaced, so servers will likely need to serve both an older root (Gen X now) and a current root (Gen Y).
In 5 years (2030), we will issue Gen Z roots. At that time, we expect Gen Y to be fully trusted, and so the default chain will switch to Gen Y and Gen Z, with Gen X still available if needed, but the chain will be getting longer. 5 years after (2035) that we will issue a new Gen A. X1 will expire and no longer be available. Users can chain to X2, A, Z or Y depending on their needs.
We also expect technology like TLS Trust Anchor Identifiers will help avoid overly long chains as well.
I also expect we will add a post quantum root during the period which the “Y” roots are current. I can’t say for sure, but if it’s an MLDSA root, I would expect that to be root YM. It will not be issued until at least 2026, if not later.
Depending on advances in Quantum Computing, we may begin deprecation of the RSA and ECDSA roots, but the timeline for that is unknown.