Re: Extending Android Device Compatibility for Let's Encrypt Certificates

2021-01-07 Thread Kurt Roeckx via dev-security-policy
On 2021-01-07 01:48, Aaron Gable wrote: As mentioned in the blog post, and as we'll elaborate on further in an upcoming post, one of the drawbacks of this arrangement is that there actually is a class of clients for which chaining to an expired root doesn't work: versions of OpenSSL prior to

Re: Extending Android Device Compatibility for Let's Encrypt Certificates

2021-01-07 Thread Aaron Gable via dev-security-policy
In cases where we expect OpenSSL to be validating the chain, we expect that ISRG Root X1 is also in the trust store (unlike older versions of Android, where we know that it hasn't been added). As such, there will be two certificates in the chain which are also in the local trust store: ISRG Root

Policy 2.7.1: MRSP Issue #218: Clarify CRL requirements for End Entity Certificates

2021-01-07 Thread Ben Wilson via dev-security-policy
This is the last issue that I have marked for discussion in relation to version 2.7.1 of the Mozilla Root Store Policy . It is identified and discussed in GitHub Issue #218

Re: Extending Android Device Compatibility for Let's Encrypt Certificates

2021-01-07 Thread Man Ho (Certizen) via dev-security-policy
I think it is a mistake to assume that the "intermediate" (i.e. your ISRG Root X1 cross-signed by DST Root CA X3) is the same certificate as your self-signed ISRG Root X1.  The "intermediate" can only be chained up to expired DST Root CA X3. On 08-Jan-21 1:31 AM, Aaron Gable via