With R12/R13 + E7/E8 taking over from R10/R11 + E5/E6, are the former active issuers permanently retired, or just "taking a break" (are effectively 2 of the three backups for each algorithm)?
According to docs, they are retired
3 Likes
to be clear:
there are many R10/R11 issued certs that are still valid [not yet expired]
4 Likes
R10/R11 and E5/E6 still have active certs, but are no longer actively issuing new certs
R12/R13 and E7/E8 are actively using certs
4 Likes
And so, they're still "online" signing CRL responses.
I think the question may be, "If Let's Encrypt has some compliance problem with R12/R13/E7/E8, will they maybe bring R10/R11/E5/E6 online to sign certs again?" I doubt they plan to, but it's not like they've destroyed the keys yet, so I suppose it's not impossible. Whether they do may depend on the nature of whatever is preventing them from continuing with R12/R13/E7/E8, and whether "rolling back" to prior intermediates is easier or harder for them than "rolling forward" to not-yet-used-for-issuing intermediates.
5 Likes
We don't plan to resume use of E5, E6, R10, R11, but of course there could be some unforeseen situation where that could be required.
Our next planned intermediate switch will be to YE1, YE2, YR1, YR2 next year.
We always want to keep a backup intermediate so we have an option to switch quickly in event of some compliance issue that could require us to revoke intermediates.
5 Likes
Thanks all, I should indeed have checked for changes at the Chains of Trust page.
I see the CAs in question are intended to now be retired, so in ~90 days, once the last of their issued EE certs expires, I'll post messages to the dane-users, postfix-users and dane-users mailing lists and update the Provisioning DANE-TA(2) TLSA records for Let's Encrypt CAs page to mark them accordingly.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.