[alanfranz]

Maybe IdenTrust will now offer an ACME compatible endpoint and offer signed, paid certs with their CA. Or another CA will.

I wonder whether IdenTrust imagined that a five year cross signed root ca would be too little a timespan to get wide adoption.

Btw... Wouldn't it be possible to just add a new root ca to android? Maybe an app could simplify delivery?

[thayne]

> Maybe an app could simplify delivery?

I'd be very surprised if an app without root privileges could install a new root certificate. If an app installed a malicious (or even just a poor quality) certificate, that would be a pretty big compromise to the OS.

What is strange to me though, is that it seems like the OS should have a mechanism to update the root certs independently of the OS itself. Then again, not updating root certs is a way to put an expiration date on a phone, forcing customers to buy more phones...

[alanfranz]

I would imagine that the app could make the delivery smoother than "download a file on the filesystem, look for a menu somewhere where to add the root ca".

Maybe a single confirmation box "would you like to add this ca" would work.

[throwii]

> I'd be very surprised if an app without root privileges could install a new root certificate.

Its not like the OS can actually withstand the app though, looking at a years out-of-date OS with thousands of accumulated known bugs.

[epse]

Android has always had an "install certificate from SD card" option, so it's absolutely possible, just very annoying

[lxgr]

Starting with (I think) Android 6, this will be accompanied with a non-discardable "Somebody might be tracking you!!!" scare warning in the menu bar. I'm not a fan of the idea of educating users to ignore something like that.

[1337shadow]

The article says firefox app comes with its own up to date certificates which they maintain outside of the os, so there's that solution apparently.