Yeah that LE root certificate change broke our PROD for about 25% of traffic when it happened. Everyone acts like we control our client's cert chains. Clients don't look at the failure and think "our system is broken - we should upgrade". They look at the connection failure and think "this vendor is busted - might as well switch to someone who works". I switched away from LE to the other free ACME provider for our public-facing certs after that.
Only for devices that do not allow you to patch the CA bundle as an aftermarket repair. Call your representative and demand Right to Repair legislation.
That is ... basically all of them? Other than general purpose desktop/laptop computers that is. Show me a TV or smartphone that does allow you to push new roots to it...
> If roots rotate often then we build the muscle of making sure trust bundles can be updated
Five years is not enough incentive to push this change. A TV manufacturer can simply shrug and claim that the device is not under warranty anymore. We'll only end up with more bricked devices.
> 1. These might need to happen as emergencies if something bad happens
Isn't this the whole point of intermediate certificates, though?
You know, all the CA's online systems only having an intermediate certificate (and even then, keeping it in a HSM) and the CA's root only being used for 20 seconds or so every year to update the intermediate certificates? And the rest of the time being locked up safer than Fort Knox?
The thing is even the most secure facilities need ingress and egress points.
Those are weaknesses. It’s also that a root rotation might be needed for completely stupid vulnerabilities. Like years later finding that specific key was generated incorrectly.
Chrome root policy, and likely other root policies are moving toward 5-years rotation of the roots, and annual rotation of issuing CAs.
Cross-signing works fine for root rotation in most cases, unless you use IIS, then it becomes a fun problem.
