Signing of the new intermediates

Jason · March 26, 2016, 3:13pm

@jsha When will the new intermediates be signed by the ISRG Root X1?

Osiris · March 26, 2016, 3:35pm

Why would they? The new intermediates were created because of buggy behaviour Windows XP. The ISRG Root X1 signed intermediates don’t have that problem.

Jason · March 26, 2016, 3:53pm

There is the following problem: ALL server certificates are now signed by the X3 intermediate, which means that they currently DON’T chain up to the ISRG Root X1 root CA, since the X3 is not signed by ISRG. So, if someone would like to utilize the ISRG root, they cannot, if they have server certificates from the X3, so a signature is needed, I think. When the ISRG root is trusted, I understand that the X3 would no longer be useful. But we have time ahead until that is done…

jsha · March 26, 2016, 4:17pm

In a few months. We need to hold a key ceremony to bring our root online, and that requires a fair amount of advance planning and coordination. We’ll probably do it about the same time we generate an ECDSA root and intermediates.

My1 · March 27, 2016, 7:43pm

but wouldnt you also need your root “ready” to sign CRLs/OCSPs for the root itself (regarding validity of the intermediates)?

Osiris · March 27, 2016, 9:16pm

The CRL is signed every 3 months it seems:

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
        Last Update: Feb 23 12:00:00 2016 GMT
        Next Update: May 23 12:00:00 2016 GMT

So I guess that doesn’t matter with regard to the intermediate signing ceremony.

My1 · March 27, 2016, 10:04pm

well “in a few months” can mean on the next CRL update because as obvious as it might seem, the private root key is needed for both.

system · April 26, 2016, 10:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.