Browser coverage

2,656 views
Skip to first unread message

mar...@byte.nl

unread,
Jun 12, 2015, 5:05:41 AM6/12/15
to clien...@letsencrypt.org
Hi,

Great project!

Maybe it's somewhere on the site but I couldn't find it, could you tell me something about the browser coverage? Which browsers will be supported? And I'm also curious under which CA / root the certificates will be issued?

Thanks!
Marije

Vincent Lynch

unread,
Jun 12, 2015, 10:54:46 AM6/12/15
to mar...@byte.nl, clien...@letsencrypt.org
The certificates will be issued under the "DST Root CA X3", operated by IdenTrust. The root has stupendous inclusion. It is more or less included on every meaningful device.

Trusted Root since....
-Not sure on exactly when it was included on Windows, but since at least IE8 http://www.herongyang.com/PKI/HTTPS-IE-8-Trusted-Root-CA-Certificate-Authorities.html

You can visit https://www.identrustssl.com/ on any device to test if the root is trusted. 

Let’s Encrypt developer @bcrypt posted a tweet asking for further device testing: https://twitter.com/bcrypt/status/600782345575206912 

Users confirmed the following devices recognized DST Root CA X3: iOS 3.1, Safari 4.0 (w/ Mac OSX 10.4), Android 2.3.6, Firefox OS 2.2, Meego (defunct Linux OS), Amazon FireOS (Silk Browser), Cyanogen 10, Debian 6, Jolla Sailfish OS 1.1.2.16, Kindle v3.4.1, Playstation 3

 Not Recognized By: Blackberry OS 10, 7, & 6, Android 2.3.5 (HTC Wildfire S, Stock Browser), Nintendo 3DS



Sincerely,


Vincent





--
You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to client-dev+...@letsencrypt.org.
To post to this group, send email to clien...@letsencrypt.org.
To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/365539be-72e6-4ebb-8783-7d0f45660d85%40letsencrypt.org.



--
Vincent Lynch

Daniel Roesler

unread,
Jun 12, 2015, 11:34:29 AM6/12/15
to Vincent Lynch, mar...@byte.nl, clien...@letsencrypt.org
I'm seeing https://www.identrustssl.com/ as chained to the IdenTrust
Commercial Root CA 1 root (serial 0A 01 42 80 00 00 01 45 23 C8 44 B5
00 00 00 02 ), not DST Root CA X3 (serial 44 AF B0 80 D6 A3 27 BA 89
30 39 86 2E F8 40 6B). Is there another site that is chained to the X3
root?
> https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM_pNrcWqLMB71ZPB4zVbQUaT7v1izHFGKvRLFZQ-XWioGvWJA%40mail.gmail.com.

Vincent Lynch

unread,
Jun 12, 2015, 11:41:47 AM6/12/15
to Daniel Roesler, mar...@byte.nl, clien...@letsencrypt.org
Hi Daniel,

I may be misinterpreting this, but, despite the name  IdenTrust Commercial Root CA 1 does not seem to be a root. It is an Intermediate signed by DST Root CA X3.


-Vince
--
Vincent Lynch

Daniel Roesler

unread,
Jun 12, 2015, 11:48:19 AM6/12/15
to Vincent Lynch, marije, clien...@letsencrypt.org
Ah, ok. It seemed that Firefox is only showing the self-signed version
of IdenTrust Commercial Root CA 1, which is also in the root list.
Thanks for the clarification!
Screenshot - 06122015 - 08:46:15 AM.png

Vincent Lynch

unread,
Jun 12, 2015, 12:07:01 PM6/12/15
to Daniel Roesler, marije, clien...@letsencrypt.org
Very interesting. I wonder why SSLLabs does not show that as an alternate chain. My understanding was it used the NSS/Mozilla trust store.


--
Vincent Lynch
Reply all
Reply to author
Forward
0 new messages