Nobody's paying for EV certificates now browsers don't display the EV details. The only reason to pay for a certificate is if you're rotating certificates manually, and the 90 day expiry of Lets Encrypt certificates is a hassle.

If the CA/Browser Forum is forcing everyone to run ACME clients (or outsource to a managed provider like AWS or Cloudflare) doesn't that eliminate the last substantial reason to give money to a CA?

Microsoft voted for it, and now they are basically the only game in town for cloud signing that is affordable for individuals. The Forum needs voting representatives for software developers and end users or else the members will just keep enriching themselves at our expense.

They set the baseline standard for code signing certificates. In 2020 they added the requirement to use hardware modules which resulted in much higher prices and fewer small developers opting to sign their code.

Seems to me CAs have intermediate certificates and can rotate those, not much upside to rotating the root certificates, and lots of downsides.

1. These might need to happen as emergencies if something bad happens

2. If roots rotate often then we build the muscle of making sure trust bundles can be updated

I think the weird amount they are being rotated today is the real root cause if broken devices and we need to stop the bleed at some point.

Five years is not enough incentive to push this change. A TV manufacturer can simply shrug and claim that the device is not under warranty anymore. We'll only end up with more bricked devices.

Isn't this the whole point of intermediate certificates, though?

You know, all the CA's online systems only having an intermediate certificate (and even then, keeping it in a HSM) and the CA's root only being used for 20 seconds or so every year to update the intermediate certificates? And the rest of the time being locked up safer than Fort Knox?

Those are weaknesses. It’s also that a root rotation might be needed for completely stupid vulnerabilities. Like years later finding that specific key was generated incorrectly.

If the vendor is really unable to update, then it's at best negligence when designing the product, and at worst -- planned obsolescence.

2. Product is a smart fridge or whatever, reasonable users might keep it offline for 5+ years.

3. New homeowner connects it to the internet.

4. Security update fails because the security update server's SSL cert isn't signed by a trusted root.

We do car recalls all the time. Just send out an email or something with instructions of what to put on a USB, it's basically the same thing.

Yes it's inconvenient for consumers and annoying but the alternative is worse. Essentially hard coding certificates was always a bad idea.

Nothing stays the same forever, software is never done. It’s absurd pretend otherwise.

The CA folks and the Browser folks may have had differences of opinions.

I expect they will introduce new, "more secure", proprietary methods, and ride the vendor lock-in until the paid certificate industries death.

Large companies will keep on using paid providers also for business continuity in case free provider will fail. Also I don’t know what kind of SLA you have on let’s encrypt.

It is more complicated than „oh it is free let’s move on”.