So what motivates one CA to cross-sign another? I would have thought, if you were a CA you'd prefer not to enable your competitors - especially one who's planning to give away the product for free.
I don't think anybody at Let's Encrypt has spoken on this topic, but in their case specifically there are both moral and pragmatic reasons to choose to cross-sign.
Morally is the easy one. If you work for a public CA you presumably think that the Web PKI is a good idea, and Let's Encrypt helped bring that benefit to lots more users, so that's a good thing. Consider the question of whether McDonalds should support a local soup kitchen. McDonalds thinks food helps bring people together, so why not?
Pragmatically, there are a number of benefits to Let's Encrypt for a commercial CA. It creates a "brand halo" for the "SSL Certificate" product class that you benefit from, where positive experiences with Let's Encrypt result in more customers for you. Growing the market means more opportunities for you as a seller. I see some misleading analysis of the "SSL Certificate" market that doesn't include "Does not have a cert" as one of the options. So they see Let's Encrypt crushing other outfits and assume that's got to hurt profits. But a site that goes from nothing to a Let's Encrypt cert makes no difference to sales at the for-profit CA. Even if 100 sites do that, if just one copies them but chooses to buy a cert, that's an extra sale they would not make otherwise.
AIUI IdenTrust was set-up as a sort of self-servicing entity by banks mostly for banks and their clients, so IdenTrust probably doesn't really care too much about classic web CA business.
I was going to add this. The choice of IdenTrust was not an accident. It was and is a very reputable CA but for banking reasons and so is not threatened by LA's entry into the market.
It's worth noting here, too, that the vast majority of commercial CAs do not make a lot of money from their public SSL business. The public SSL business is viewed as a loss leader that provides a public profile and security assurance for the company, but most of them make far more money from their private PKI engagements (providing all of the certificates for a company's Active Directory infrastructure, e.g.). As such, Let's Encrypt enhances people's desire for certificates, but doesn't at all compete in the private-CA space where most CAs make bank.
I dunno, if you look at the legacy of DigiNotar it seems like you're dealing with a lot of potential headaches for a couple thousand bucks that your customers hate paying you anyway.
(DigiNotar, of course, famously gave out a fraudulent * .google.com cert and is now defunct.)
As a CA you're assuming a whole lot of liability for not that much money (not that much at the scale of even a small business, anyway), and that just doesn't seem like it'd scale to a wildly profitable venture, especially considering the kinds of people who are actually well equipped to run a CA can probably make a lot more money doing basically anything else in web security. When you add up the contingency risks, the opportunity costs, and whatever actual day-to-day business expenses, it does seem like you'd be looking for other ways to make more comfortable profits.
That doesn't mean CAs should charge more or anything, just that I could accept that SSL certs for standard websites isn't what anyone with a good vision for their business is really trying to hold onto.
Let's Encrypt is a nonprofit so all expenses on cross signing would be tax deductible. Also LE only does DV (not OV or EV, and only recently wildcards) and it has purposely short expiry times so it's not a 100% direct competitor.
But that wasn't the question. The question was "How much money do you want from us before we destroy your business?"
For one, there are so many CAs that could potentially cross-sign, it's unlikely none will "defect" and take the opportunity to earn some money, but also, if none had cross-signed, they simply would have started later with their own root-cert, destroying the business anyway, so that's another reason to earn some money while you can.
CA market was so competitive, and with a free and open CAs coming in the future, IdenTrust probably grabbed the opportunity. It would be someone else if it wasn't IdenTrust.
IdenTrust has OV, EV, managed PKI, and even DV certificates with 2 year validity that some legacy organization infrastructure requires.
Morally is the easy one. If you work for a public CA you presumably think that the Web PKI is a good idea, and Let's Encrypt helped bring that benefit to lots more users, so that's a good thing. Consider the question of whether McDonalds should support a local soup kitchen. McDonalds thinks food helps bring people together, so why not?
Pragmatically, there are a number of benefits to Let's Encrypt for a commercial CA. It creates a "brand halo" for the "SSL Certificate" product class that you benefit from, where positive experiences with Let's Encrypt result in more customers for you. Growing the market means more opportunities for you as a seller. I see some misleading analysis of the "SSL Certificate" market that doesn't include "Does not have a cert" as one of the options. So they see Let's Encrypt crushing other outfits and assume that's got to hurt profits. But a site that goes from nothing to a Let's Encrypt cert makes no difference to sales at the for-profit CA. Even if 100 sites do that, if just one copies them but chooses to buy a cert, that's an extra sale they would not make otherwise.