From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by sourceware.org (Postfix) with ESMTPS id 3C20F3858D20 for ; Wed, 17 Apr 2024 03:48:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3C20F3858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=SystematicSW.ab.ca ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3C20F3858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=216.40.44.14 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713325694; cv=none; b=c0MkYTGqmqJmFKXE1r0E1KqAFS4Epf8DwiTN3DgPNUWcQWowARNl2AFSMeYUjxKWAvQ4GucVdk9Xa7FFfeSnAsfvii9BG9cgjNdjAP/GqfDX3L2tL0YOk2KxmhCK50i2KMHtCojR94LbcK5yH68u478KIxFn2MhK/HTo5kJN2gU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713325694; c=relaxed/simple; bh=04e1OmjTbAI8TBRzxwPKdtrcKXW56v7bhWZYML/1j7U=; h=Message-ID:Date:MIME-Version:Subject:From:To; b=Lzw9yf4ncJH08DB6IrYjWQTZB0+d38bjWi7QYWVV5CXEwhcPB+q9rhdp6DbMH98lsoNpikSnXeoI2tuH4EjfcHGGDJDif2wKGHcSDugDSC+Dyc4YPO7ngxPJ/X2aezbwI332fomzra/pmTe5gRAcZwfupz424kIK/ee+aU9ZSL4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from omf19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id BDD89140C67 for ; Wed, 17 Apr 2024 03:48:11 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: Brian.Inglis@SystematicSW.ab.ca) by omf19.hostedemail.com (Postfix) with ESMTPA id 683F520026 for ; Wed, 17 Apr 2024 03:48:10 +0000 (UTC) Message-ID: <16f3e2ff-d86a-4ba5-9f70-5447fe3d0e5f@SystematicSW.ab.ca> Date: Tue, 16 Apr 2024 21:48:09 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains Reply-To: cygwin-apps@cygwin.com Content-Language: en-CA From: Brian Inglis Organization: Systematic Software To: Cygwin Apps Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 683F520026 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Rspamd-Server: rspamout08 X-Stat-Signature: 1uqq17so53i6hres4po8c4qpzzuzuump X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX18L1/af0GYjh0Kh3Q+wMyGAXaZKMn68u1I= X-HE-Tag: 1713325690-671228 X-HE-Meta: U2FsdGVkX19nXuza4m49XF0RKf/sSyBmYLaKQnnc8Xq8jehPucldReppk/PnTXzMLv7L/HtIs3+chNI41SRVI/OKuRBW9K1mI17l/3eB5Wk33/AONoogHvFMiVWlrfX5CgOY7AXTvfPHxteU4TMcLqsLLX891TwXsmr8ZABZy4kCgxwJi9DdTjyyx8dD1KfzFoGLbfuFC1B72/xoAxkhykh+/yFZS4xbie9gocYlUttkQitLFXK95gdTsQJlLmo0MJNxJJvE+Rj42GAq0w8nFEOLLhEgIe8oSDXl7heMcT8/Ahv7mSiPlyddLIyV6fRGAHHjPlryuKobPSjKIBPiBHV6fhW2ckaUHxmNyZAZCLHLrRESQLnWTChndIfFvaWDLgmC/ferZj5M4RzCT3EQ5g== X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi folks, https://letsencrypt.org/2023/07/10/cross-sign-expiration Shortening the Let's Encrypt Chain of Trust "On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. On Monday, September 30th, 2024, the cross-signed certificate will expire." https://letsencrypt.org/2024/03/19/new-intermediate-certificates New Intermediate Certificates "Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 new Intermediate CA Certificates containing the new public keys." https://letsencrypt.org/2024/04/12/changes-to-issuance-chains Deploying Let's Encrypt's New Issuance Chains "On Thursday, June 6th, 2024, we will be switching issuance to use our new intermediate certificates. Simultaneously, we are removing the DST Root CA X3 cross-sign from our API, aligning with our strategy to shorten the Let’s Encrypt chain of trust. We will begin issuing ECDSA end-entity certificates from a default chain that just contains a single ECDSA intermediate, removing a second intermediate and the option to issue an ECDSA end-entity certificate from an RSA intermediate." -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry