[aftbit]

Yeah that LE root certificate change broke our PROD for about 25% of traffic when it happened. Everyone acts like we control our client's cert chains. Clients don't look at the failure and think "our system is broken - we should upgrade". They look at the connection failure and think "this vendor is busted - might as well switch to someone who works". I switched away from LE to the other free ACME provider for our public-facing certs after that.

[nickf]

Roots for all CAs are going to be rotating much more frequently now. Looking to be every 5 years.

[silverwind]

Sounds like planned obsolescence if devices stop working after 5 years or less.

[majewsky]

Only for devices that do not allow you to patch the CA bundle as an aftermarket repair. Call your representative and demand Right to Repair legislation.

[aftbit]

That is ... basically all of them? Other than general purpose desktop/laptop computers that is. Show me a TV or smartphone that does allow you to push new roots to it...

[michaelt]

I'd be interested in hearing more - do you have a source for this?

Seems to me CAs have intermediate certificates and can rotate those, not much upside to rotating the root certificates, and lots of downsides.

[aaomidi]

The upside to rotating roots is:

1. These might need to happen as emergencies if something bad happens

2. If roots rotate often then we build the muscle of making sure trust bundles can be updated

I think the weird amount they are being rotated today is the real root cause if broken devices and we need to stop the bleed at some point.

[selcuka]

> If roots rotate often then we build the muscle of making sure trust bundles can be updated

Five years is not enough incentive to push this change. A TV manufacturer can simply shrug and claim that the device is not under warranty anymore. We'll only end up with more bricked devices.

[aaomidi]

5 years also is a step not a destination

[account42]

Sounds more like a detour across hot coals that doesn't get us anywhere closer to the destination.

[michaelt]

> 1. These might need to happen as emergencies if something bad happens

Isn't this the whole point of intermediate certificates, though?

You know, all the CA's online systems only having an intermediate certificate (and even then, keeping it in a HSM) and the CA's root only being used for 20 seconds or so every year to update the intermediate certificates? And the rest of the time being locked up safer than Fort Knox?

[aaomidi]

The thing is even the most secure facilities need ingress and egress points.

Those are weaknesses. It’s also that a root rotation might be needed for completely stupid vulnerabilities. Like years later finding that specific key was generated incorrectly.

[nickf]

Chrome root policy, and likely other root policies are moving toward 5-years rotation of the roots, and annual rotation of issuing CAs. Cross-signing works fine for root rotation in most cases, unless you use IIS, then it becomes a fun problem.

[mikestorrent]

What an absolute pain in the ass for a mediocre increase in security.

[account42]

And your clients are right. The "security" community's wanton disregard for backwards compatibility is abhorrent.