Switch to ISRG Root: What changed?

luckyrat · April 21, 2019, 6:37pm

Last year you announced a 5 year transition period before removing the cross-signing of Let's Encrypt certificates:

We’ll need to wait for the vast majority of those [older clients] to cycle out of the Web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then.

To me, that sounded like a reasonable estimate given historical rates of technology upgrades.

The recent announcement has shortened that time frame to approx. 3 years (2021) at best (assuming all certificate issuers can reconfigure their systems in the time between the required certbot feature being released and the switchover in July 2019).

I'm interested to know what has changed in the past 8 months to support the conclusion that this new timeframe is a more appropriate choice than the one announced last year?

schoen · April 21, 2019, 8:36pm

Note that the DST root expires on September 30, 2021, so the existing cross-signature won’t be accepted by browsers after that date.

BenSjoberg · April 22, 2019, 3:48am

Note that the DST root expires on September 30, 2021, so the existing cross-signature won’t be accepted by browsers after that date.

Right, so the quote that luckyrat found makes it seem like ISRG intended to get a new cross signature from a different root until their own root was better established. I'm also curious what changed there.

system · May 22, 2019, 3:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdenTrust DST Root CA X3 expiry Help	18	5243	November 6, 2021
ISRG Root X2 testing Issuance Tech	3	1975	November 8, 2020
Status of the "Transitioning to ISRG's Root" plan Help	4	1721	July 12, 2020
PLEASE cross-sign with another older CA before the 9/2021 deadline Feature Requests	22	4122	May 25, 2021
ISRG Root X1 replaces DST Root CA X3? Help	6	1519	October 29, 2021

Switch to ISRG Root: What changed?

Related topics