From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sa-prd-fep-048.btinternet.com (mailomta13-sa.btinternet.com [213.120.69.19]) by sourceware.org (Postfix) with ESMTPS id 660943849ACB for ; Fri, 19 Apr 2024 12:48:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 660943849ACB Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dronecode.org.uk Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=dronecode.org.uk ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 660943849ACB Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=213.120.69.19 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713530933; cv=none; b=jIuvRf4gdGZ2a70LytOS56EXVEpppRegre/srWvtFHkpflIo7M3Xl+XvVJyKEW/qKUAyDL7GHhc6l3rXmKHnXIEPepN4VRGqkghooBcR96EMAszqsCUM+GVndCEdeVnPFvwpBN55mCT9NB3ch005hSALmU+UAxo+1MMuSEhzH+Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713530933; c=relaxed/simple; bh=IRLNxufjvj9SZDLxPdBaoNErAPxtRKlk0LsTiCms57A=; h=Message-ID:Date:MIME-Version:Subject:To:From; b=pJNlmJ8EbK8gCEvU3J/RvmJHQNFZWPp0d0XNDlmyh2dY1tDihEcWsFB+Id33K6baSgU5xpvZMfeZTxa3vJQcfITwutJBZUGX69aAgymZviv7VEPRP4JVJnlV5JUMzMeDrXJqsEqyGN3woIXy189zMeRUZ+WGLiGTJ34xnfTDFXI= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from sa-prd-rgout-002.btmx-prd.synchronoss.net ([10.2.38.5]) by sa-prd-fep-048.btinternet.com with ESMTP id <20240419124850.NZBT7361.sa-prd-fep-048.btinternet.com@sa-prd-rgout-002.btmx-prd.synchronoss.net>; Fri, 19 Apr 2024 13:48:50 +0100 Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=jonturney@btinternet.com; bimi=skipped X-SNCR-Rigid: 65A567CD0AB895AC X-Originating-IP: [86.140.112.82] X-OWM-Source-IP: 86.140.112.82 X-OWM-Env-Sender: jon.turney@dronecode.org.uk X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvledrudekvddgheejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfevjggtgfesthekredttddvjeenucfhrhhomheplfhonhcuvfhurhhnvgihuceojhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukheqnecuggftrfgrthhtvghrnhepffejuefgffdvtdeugeduvdeggfffvddvvddvkeehteekgeeiudefheehieegkeefnecuffhomhgrihhnpehlvghtshgvnhgtrhihphhtrdhorhhgnecukfhppeekiedrudegtddrudduvddrkedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplgduledvrdduieekrddurddutdelngdpihhnvghtpeekiedrudegtddrudduvddrkedvpdhmrghilhhfrhhomhepjhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukhdpnhgspghrtghpthhtohepvddprhgtphhtthhopeeurhhirghnrdfknhhglhhishesufihshhtvghmrghtihgtufifrdgrsgdrtggrpdhrtghpthhtoheptgihghifihhnqdgrphhpshestgihghifihhnrdgtohhmpdhrvghvkffrpehhohhsthekiedqudegtddqudduvddqkedvrdhrrghnghgvkeeiqddugedtrdgsthgtvghnthhrrghlphhluhhsrdgt ohhmpdgruhhthhgpuhhsvghrpehjohhnthhurhhnvgihsegsthhinhhtvghrnhgvthdrtghomhdpghgvohfkrfepifeupdfovfetjfhoshhtpehsrgdqphhrugdqrhhgohhuthdqtddtvd X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from [192.168.1.109] (86.140.112.82) by sa-prd-rgout-002.btmx-prd.synchronoss.net (authenticated as jonturney@btinternet.com) id 65A567CD0AB895AC; Fri, 19 Apr 2024 13:48:50 +0100 Message-ID: <67488e2d-c183-4a3c-9248-7e907ae42c5f@dronecode.org.uk> Date: Fri, 19 Apr 2024 13:48:47 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains To: Brian Inglis References: <16f3e2ff-d86a-4ba5-9f70-5447fe3d0e5f@SystematicSW.ab.ca> From: Jon Turney Content-Language: en-US Cc: cygwin-apps@cygwin.com In-Reply-To: <16f3e2ff-d86a-4ba5-9f70-5447fe3d0e5f@SystematicSW.ab.ca> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 17/04/2024 04:48, Brian Inglis via Cygwin-apps wrote: > Hi folks, Is this FYI, or are you suggesting there is some specific action we need to take? > https://letsencrypt.org/2023/07/10/cross-sign-expiration > Shortening the Let's Encrypt Chain of Trust > "On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by > default in requests made to our /acme/certificate API endpoint. > On Thursday, June 6th, 2024, we will stop providing the longer > cross-signed chain entirely. > On Monday, September 30th, 2024, the cross-signed certificate will expire." > > https://letsencrypt.org/2024/03/19/new-intermediate-certificates > New Intermediate Certificates > "Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 > new Intermediate CA Certificates containing the new public keys." > > https://letsencrypt.org/2024/04/12/changes-to-issuance-chains > Deploying Let's Encrypt's New Issuance Chains > "On Thursday, June 6th, 2024, we will be switching issuance to use our > new intermediate certificates. Simultaneously, we are removing the DST > Root CA X3 cross-sign from our API, aligning with our strategy to > shorten the Let’s Encrypt chain of trust. We will begin issuing ECDSA > end-entity certificates from a default chain that just contains a single > ECDSA intermediate, removing a second intermediate and the option to > issue an ECDSA end-entity certificate from an RSA intermediate."