I'm curious whether this approach of cross-signing from a root
certificate which has already expired is exceptional for Let's Encrypt.
I'm not aware of any discussion on what conditions this approach could
be accepted by Mozilla and other root certificate programs. Or, is it
just an usual practice of CA? If yes, this approach may provide some new
solutions in the CA ecosystem.
Firstly, for those new CAs who do not have their root certificates
included in the root certificate programs, they may acquire an expired
root certificate from an existing CA who are probably more willing to
sell the expired root certificate rather than an active root certificate.
Secondly, for some CAs whose root certificates are going to expire, they
may continue using the root certificates to issue intermediate CA
certificates beyond its expiry. So, there will be no need for rollover
of root certificates to new one.
Are they good or bad things?
On 22-Dec-20 7:42 AM, jo...--- via dev-security-policy wrote:
We (Let's Encrypt) just announced a new cross-sign from IdenTrust which is a
bit unusual because it will extend beyond the expiration of the issuing root.
More details can be found here:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Best,
Josh
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy