Root Inclusion in Mozilla

tlussnig · July 27, 2016, 8:25pm

https://bugzilla.mozilla.org/show_bug.cgi?id=1289889

Wow this is an great step forward

That mean in the not so far future LetsEncrypt will be in Firefox

upsuper · July 28, 2016, 1:23pm

I guess it would end up being included in Firefox 51, which would be the first version released the next year.

rugk · August 8, 2016, 6:16pm

As LE announced it will end up in Firefox 50.

However I still have a question about this inclusion now: As it seems X1 has been included, but most of the currently issued certs are issued by X3. Does not that mean only certs issued by X1 will be trusted without Identrust in Firefox 50?

Are there plans to include X3 too?

tdelmas · August 8, 2016, 6:28pm

@rugh I think your answer is there:

tlussnig · August 8, 2016, 6:43pm

Firefox Nightly “51.0a1 (2016-08-06)” does not yet support the new root.
And the testpage “https://helloworld.letsencrypt.org/” was not updated.

Osiris · August 8, 2016, 6:51pm

Root versus intermediate dude, root versus intermediate..

Updated with what? There isn't a currently active intermediate certificate signed by the ISRG root...

tlussnig · August 8, 2016, 6:54pm

@Osiris do you wan’t to say that there is an signed root, but no intermediate that it is usable with these root?

Osiris · August 8, 2016, 6:55pm

Correct.

kelunik · August 8, 2016, 7:46pm

Currently, that is correct and also the reason why the helloworld certificate isn’t updated, because it has to chain up to the ISRG root.

tialaramex · August 8, 2016, 8:37pm

Strictly, the X1 and X2 intermediate still exist, but Let’s Encrypt policies say it doesn’t issue certificates for end entities (and that’s what helloworld is) except via ACME and the ACME server doesn’t offer certificates from X1 or X2, right now it exclusively delivers certificates signed by X3.

Presumably at some point ISRG will have a signing ceremony, and they will use the ISRG Root (now trusted in Mozilla’s NSS) to sign X3 and X4. Because the ISRG-signed X3 and the IdenTrust-signed X3 are the same public key, with the same Subject DN, you can offer either the IdenTrust certificate (trusted very widely) or the ISRG certificate (only in brand new NSS) as intermediates, although obviously certbot and similar tools would continue to choose IdenTrust because that works better for 99.99% of end users. But helloworld could ask for an X3-signed certificate then, and use the ISRG chain rather than the IdenTrust one if they wanted to.

system · September 7, 2016, 8:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISRG Root X1 added to Firefox for next release ISRG/Organizational	41	9089	June 14, 2020
Is https://helloworld.letsencrypt.org/ managed by letsencrypt?	4	1690	May 16, 2016
Lets Encrypt Authority X1 expired Help	8	2267	September 4, 2016
Questions for Crosssigning of Letsencrypt and IdenTrust Issuance Tech	5	2481	May 31, 2017
Cross-signing followup Issuance Tech	9	3093	November 19, 2016

Root Inclusion in Mozilla

Related topics