Upcoming Features - Let's Encrypt - not updated in a while


The page showing upcoming features have not been updated in ages. For instance I would like to see when E1 signed certificates will be issued by default.

1 Like

We've been focused on a variety of (hopefully!) invisible improvements to speed and stability to enable growth for the next 200M certificates. As we've said elsewhere, we won't enable default issuance from E1 (which chains up to ISRG Root X2) until that root is in all major trust stores.


As I read this request, it asks to update the Upcoming Features page.
You've stated:

It only seems reasonable to include any/all of those elsewhere statements into that page.

Like (maybe):


I concur @rg305.

When will E1-signed certificates be issued by default?

Let's Encrypt won't issue E1-signed certificates by default until ISRG Root X2 is in all major trust stores.

This implies to me sometime after that event, but not necessarily coinciding with it.


I would hope so considering how painful it's been to transition to ISRG Root X1 despite how long it has been in all the major trust stores.

I'd guess there are a decent number of people today who are using ECDSA certs on the existing X1 chain that would totally break clients if their next renewal all of a sudden came from the X2 chain even if it's cross-signed by X1.


I would think that the primary cause of that breakage would be the extended chain rather than X2 being in the mix if termination occurs at X1. I'm amazed at just how much struggle there has been both for hosting providers and users to support using multiple intermediate certificates. GoDaddy recently dodged the issue entirely by jumping from R3 with DST Root CA X3 assumed in trust store directly to R3 with ISRG Root X1 assumed in trust store.


What? You mean that intermediate can be a plural term ! ? ! ? !
Oh no! Back to coding! - LOL


I understand the request here. The current statement "There is no planned date for removing the allow-list" is still correct. Although it could have more detail, we prefer not to get more specific with future timelines because doing so inevitably leads to questions of the form "ISRG Root X2 is in the microsoft trust store, why haven't you enabled issuance from E1 for me, huh?".

Honestly the whole Upcoming Features page could use a bit of work (why is it 90% already-launched features from multiple years ago?) and so I've filed a ticket to track that.


So it's the Let's Encrypt wayback machine... :thinking:


I still think that point hasn't been addressed (well enough).
If anything was said elsewhere (that applies to "Upcoming Features"), why not also include that in there?


Would the move to add ISRG Root X2 take years or months?


OR... maybe BOTH !
[there are parts that are completely out of ISRG control]


It depends upon how long it takes for the various root programs to adopt ISRG Root X2. Considering how long it has taken for ISRG Root X1 to be adopted, I wouldn't hold my breath, but I do hope for a swift adoption.


Mozilla's Application Process states that the inclusion of a new root ca typically takes up to two years (sometimes even longer) [1]. But the exact timeline varies significantly and ISRG is technically not a new CA, so I would hope that this isn't going to take the full two years. Exact timelines cannot be given, because this depends on a lot of factors. I would guess that at least one root program will take their time until 2022.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.