On the Way to Universal Recognition of Let's Encrypt Root Certificate
canopic jug writes:
Let's Encrypt, the non-profit certificate authority which provides X.509 certificates for Transport Layer Security encryption at no charge, has an update on the progress towards universal acknowledgement of its root certificate in software and firmware. The cross signature which it has purchased will expire next September, so there is a hard deadline for finalization. There are only a few barriers remaining, one of which is the old versions of Android still in use.
Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
What can we do about this? Well, while we'd love to improve the Android update situation, there's not much we can do there. We also can't afford to buy the world a new phone. Can we get another cross-signature? We've explored this option and it seems unlikely. It's a big risk for a CA to cross-sign another CA's certificate, since they become responsible for everything that CA does. That also means the recipient of the cross-signature has to follow all the procedures laid out by the cross-signing CA. It's important for us to be able to stand on our own. Also, the Android update problem doesn't seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.
It's quite a bind. We're committed to everybody on the planet having secure and privacy-respecting communications. And we know that the people most affected by the Android update problem are those we most want to help - people who may not be able to buy a new phone every four years. Unfortunately, we don't expect the Android usage numbers to change much prior to ISRG Root X1's expiration. By raising awareness of this change now, we hope to help our community to find the best path forward.
The Internet Archive has retained a copy of the original announcement for Let's Encrypt.
Previously:
(2020) Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
(2020) HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
(2019) Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
(2019) Let's Encrypt to Transition to ISRG Root
(2018) Let's Encrypt is Now Officially Trusted by All Major Root Programs
Read more of this story at SoylentNews.