What's the truth of device compatibility without cross-signing?


#1

The blog post links to this list in the first paragraph: https://letsencrypt.org/docs/certificate-compatibility/#known-incompatible

I don’t believe that it’s accurate if you take cross-signed intermediates out of the equation.

e.g.

Known Compatible
Android OS >= v2.3.6

I’m not sure how this was arrived at, but afaict ISRG Root X1 was first trusted in Android 7.

Did Android backport it to older versions? If they did, does it matter? Manufacturers didn’t do a good job of updating Android devices from that era.

If https://developer.android.com/about/dashboards/ is to be believed, then half of devices do not trust the root, if the user is using the stock Android browser.

If I understood that right, then the transition to ISRG Root X1 by-default seems too aggressive to me.

Has there been a better study that could be made public?


#2

There’s an existing forum thread about this same issue:


#3

Yeah, that and another thread got posted after this one - doesn’t matter, good responses in the other one.


closed #4