When will the switch to the new intermediates happen? [re: static pins for torproject.org]

https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html mentions the introduction of new intermediate certificates, but it does not specify when the R3 and R4 intermediates will actually replace
the existing X3/X4 intermediates in the issuing pipeline.

For most domains, the switch would probably not matter. However, for torproject.org, switching to the
new chain will break website access for e.g. chrome users as there's a static pin set. (An update to the pinset is already in the pipeline [cf. https://chromium-review.googlesource.com/c/chromium/src/+/2427555].)

So I wonder when the switch happens, so we can get one last batch of 90 day certs with the old chain to give people more time to move to newer chromes (and firefoxes).


Welcome to the Let's Encrypt Community, Peter :slightly_smiling_face:

I want you to get the right answer, so please be patient and check back here later.


I believe this question is for you. :slightly_smiling_face:


We don't have the exact date set - we're waiting on a cross-sign from IdenTrust, but it will be sometime this fall. I would recommend getting a fresh set of certificates now and again in two weeks.

A couple of thoughts about your pins: It looks like you have three backup keys in your pinset: Tor1, Tor2, and Tor3. Is there anything that would prevent you from using one of those backup keys after we switch to R3?

Also, it would be less risky to pin roots (DST Root X3, ISRG Root X1, and now ISRG Root X2) than intermediates, since we intend to rotate intermediates on a more regular basis in the future.

We don't currently have official guidance on whether or how to use HPKP, but note that it has increasingly been a source of issues in the WebPKI:

https://groups.google.com/forum/#!forum/mozilla.dev.security.policy (search for "hpkp" - direct links to searches are broken right now and require login)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.