Extending Android Device Compatibility for Let's Encrypt Certificates
letsencrypt.orgThis impacts Android operating systems prior to 7.1.1:
> IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.
So frustrating that an unmaintainable operating system was released into the world.
Android has enabled millions of people to access the Internet who wouldn't have been able to otherwise, so I'd say the tradeoff was worth making. The tradeoff just happens to be not so great from a developer perspective.
It wasn't unmaintainable when it was released.
There's a lot of factors going on, not the least of which is that phone manufacturers locked their bootloaders, and didn't support newer Android versions after a year or two.
Hard disagree, especially that Windows has always demonstrated that its root certificates can be upgraded if necessary, even without other updates (security or non-security) and even Linux distributions can update root certificates effortlessly. It is Android's design to blame here (regardless of whether manufacturers should share blame here, which in my opinion they (especially Qualcomm) definitely should).
The locking the bootloader thing should be illegal, by international law, to prevent e-waste. It should not be legal anywhere on earth to fill the landfills with short-lived high-tech devices.
This is great news. This means many won't have to look to other alternatives for certs because of potential compatibility issues with old android devices.
This is great news. I also was worried about this issue.
Great! I wish these old devices are dead after three years.