>>>>> "Russ" == Russ Allbery <r...@debian.org> writes:
Russ> Colin Watson <cjwat...@debian.org> writes:
>> Is it at all likely that the ftpmaster api service might migrate
>> away from Let's Encrypt at this point? I would assume probably
>> not. In that case, you could at least make the situation
>> substantially better with no further DSA work required by pinning
>> the appropriate LE root certificate in dgit.
Russ> debian.org already publishes a CAA record, which conveys that
Russ> information (although has its own verification concerns, but I
Russ> think debian.org is using DNSSEC so you can verify the record
Russ> that way). It says that all debian.org hosts will only use
Russ> certificates from either LE or Amazon:
Russ, you may be more up to date on webpki than I am.
Does that say anything about which root letsencrypt will chain to?
I.E. can letsencrypt change what their chain looks like?
