SoylentNews is people
SoylentNews
Let's Encrypt comes up with workaround for abandonware Android devices:
Things were touch-and-go for a while, but it looks like Let's Encrypt's transition to a standalone certificate authority (CA) isn't going to break a ton of old Android phones. This was a serious concern earlier due to an expiring root certificate, but Let's Encrypt has come up with a workaround.
[...] Yesterday, Let's Encrypt announced it had found a solution that will let those old Android phones keep ticking, and the solution is to just... keep using the expired certificate from IdenTrust? Let's Encrypt says "IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren't any compliance concerns."
Let's Encrypt goes on to explain, "The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don't contain certificates per se, they contain 'trust anchors,' and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn't been added to older Android trust stores, DST Root CA X3 hasn't been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues."
Soon Let's Encrypt will start providing subscribers both the ISRG Root X1 and DST Root CA X3 certs, which it says will ensure "uninterrupted service to all users and avoiding the potential breakage we have been concerned about."
Full Disclosure: SoylentNews uses Lets Encrypt certificates.
Previously:
Let's Encrypt Will Stop Working for Older Android Devices
On the Way to Universal Recognition of Let's Encrypt Root Certificate
Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
(Score: 1, Funny) by Anonymous Coward on Thursday December 24 2020, @11:40AM (1 child)
Wouldn't letting the certs expire be actually a better solution? Hear me out on this one:
If the certs that are expiring, are indeed good ones, then letting them expire and force the error on the user would be a constant reminder to the user that the cert is actually *good*. This would mean that the certificates and trust chain have not been tampered with since the last time you were told "it's 'trustworth'". Sure, it's a bit more 'in-your-face' compared to that little meaningless lock icon in your address bar but whaddayagonnado?
But no... we can't have those monkeys that we trained to be afraid of that scary 'certificate expired' message, to be taught what that message really means and that sometimes it's ok to click through (after inspection).
(Score: 3, Touché) by Zinnia Zirconium on Thursday December 24 2020, @09:39PM
Haha! I get it! You're trolling all the idiots who didn't read past the headline.