{"id":5432,"date":"2020-12-23T07:42:38","date_gmt":"2020-12-23T07:42:38","guid":{"rendered":"https:\/\/rakhesh.com\/networks\/letsencrypt-will-continue-working-for-older-android-devices\/"},"modified":"2020-12-23T07:42:38","modified_gmt":"2020-12-23T07:42:38","slug":"letsencrypt-will-continue-working-for-older-android-devices","status":"publish","type":"post","link":"https:\/\/rakhesh.com\/networks\/letsencrypt-will-continue-working-for-older-android-devices\/","title":{"rendered":"LetsEncrypt will continue working for older Android devices!"},"content":{"rendered":"\n<p>You can read about the background of the issue <a rel=\"noreferrer noopener\" href=\"https:\/\/arstechnica.com\/gadgets\/2020\/12\/lets-encrypt-comes-up-with-workaround-for-abandonware-android-devices\" target=\"_blank\">here<\/a>. What\u2019s funny is this (from the official <a rel=\"noreferrer noopener\" href=\"https:\/\/letsencrypt.org\/2020\/12\/21\/extending-android-compatibility.html#\" target=\"_blank\">announcement<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-verse\">IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.<\/pre>\n\n\n\n<p>And later again:<\/p>\n\n\n\n<pre class=\"wp-block-verse\"><strong>But isn\u2019t DST Root CA X3 expiring?<\/strong> <br><br>The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don\u2019t contain certificates per se, they contain \u201ctrust anchors\u201d, and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn\u2019t been added to older Android trust stores, DST Root CA X3 hasn\u2019t been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.<\/pre>\n\n\n\n<p>I find it funny that Android does not enforce the expiration dates of CA root certs. So even though the IdenTrust CA root cert on Android devices has expired, it is still considered valid and any certs signed by it e<em>ven with dates much later than its own expiry <\/em>are considered valid. This way IdenTrust can sign LetsEncrypt\u2019s own root cert using which LetsEncrypt can issue other certs. If you are on a non Android device I presume you ignore the IdenTrust root cert as you already trust LetsEncrypt\u2019s root cert, while if you are on Android you trust LetsEncrypt either coz you trust it\u2019s root cert (newer devices) or coz you trust the signature from the expired IdenTrust root cert (older device). It\u2019s a smart workaround. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can read about the background of the issue here. What\u2019s funny is this (from the official announcement): IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. &hellip; <a href=\"https:\/\/rakhesh.com\/networks\/letsencrypt-will-continue-working-for-older-android-devices\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">LetsEncrypt will continue working for older Android devices!<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[333,196],"tags":[254,649,987,980],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/5432"}],"collection":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/comments?post=5432"}],"version-history":[{"count":0,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/5432\/revisions"}],"wp:attachment":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/media?parent=5432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/categories?post=5432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/tags?post=5432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}