|
|
|
|
|
|
by schoen
3933 days ago
|
|
|
In the short term, Let's Encrypt will be primarily trusted through an IdenTrust cross-signature, which should be created in the near future (and before Let's Encrypt certs are available to the general public). The cross-signature is a delegation of authority from an existing root CA to Let's Encrypt's intermediate CA, saying that Let's Encrypt should also be trusted to issue certificates. Browsers that accept IdenTrust's root, which is widely accepted today, will then also accept the Let's Encrypt certificates as long as the services that present them also present the certificate chain (which includes the cross-signature certificate). This will happen in parallel to Let's Encrypt's efforts to be accepted as a root CA, and is not dependent on it. For example, if Mozilla decided not to allow Let's Encrypt to be trusted as a root yet, past, current, and future Mozilla browsers would still accept Let's Encrypt end-entity certificates (with the proper chain) because of the cross-signature. This is discussed in https://community.letsencrypt.org/t/frequently-asked-questio... and is also described in more detail at https://letsencrypt.org/2015/06/04/isrg-ca-certs.html |
|
|