It's hard to criticize them for this in this context and I think that's the point. Otherwise, "We are dumping Lets Encrypt and switching to some CA" doesn't sound quite as nice.
Old Androids and other systems where you don't get to update your root CAs mean that you can never add new CAs because too few devices trust them, or enfore new TLS versions because you have to assume that too many people use very old devices, maybe, I don't know, I'm not an expert, if someone can explain what really is at stake here.
I'm surprised they basically choose to ignore explicitly made CAA records, if they don’t match any of their CAs. Why bother with setting up CAA records at all if they will be silently ignored?
Most big changes like this get rolled out gradually, but an expiration date causes things to break everywhere at once. They can minimize that impact with this change. Other websites will break first.
But I wonder if they will start using Let's Encrypt again later, in a more gradual way? For example, on any new websites that launch after the expiration date?
16 comments
[ 2.8 ms ] story [ 47.6 ms ] threadBut I wonder if they will start using Let's Encrypt again later, in a more gradual way? For example, on any new websites that launch after the expiration date?
What a poor title change.