Tuesday, November 24, 2015

Microsoft November 23, 2015 Certificate Trust List Update Details

Microsoft November 23, 2015 Certificate Trust List Update Details

Edited 12/4 to show changed trust bits.
Microsoft has improved the transparency of their root certificate updates and the table, but clearly more is needed because people who do follow it are still taken by surprise.  http://hexatomium.github.io/2015/11/24/ms-quietly-adds-5-new-trusted-root-certs/

Microsoft's official announcements are now at aka.ms/rootupdates, also Jody Cloutier who manages the program has been posting notices on the CABForum mailing list.

Below is a summary of the last few updates, including detail on the November updates.

August 2015 update just added additional trust bits for two Certificate Authorities, allowing them to be trusted for more purposes.

"Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation)"
"Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing"

September 1, 2015 was an unscheduled update to replace a root that was allowed to expire.  

"an unscheduled update to the Trusted Root Store to update the expiration of the A-Trust-NQual-03 root."

November 23, 2015 includes the addition of four new certificates and removal of 10.

New Certificate Authorities

No new Certificate Authorities joined the program this update.

New Root Certificates (4)

Hellenic Academic and Research Institutions added two new certificates.  Along with adding ECDSA, these look to be planned replacements for the existing roots that will retire in 2018/19.
I.CA of Czech also appears to be planning for expirations.
China Financial adds one new root that is only trusted for Document Signing.

SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmSizeExpiration
010c0695a6981914ffbf 5fc6b0b695ea29e912a6Hellenic Academic and Research InstitutionsGreeceHellenic Academic and Research Institutions RootCA 2015RSA40966/30/2040
9ff1718d92d59af37d74 97b4bc6f84680bbab666Hellenic Academic and Research InstitutionsGreeceHellenic Academic and Research Institutions RootCA 2015ECDSA385SHA3846/30/2040
9b0959898154081bf6a9 0e9b9e58a4690c9ba104I.CA První certifikační autorita, a.s.Czech RepublicI.CA Root CARSA40965/27/2040
f02b70bde4eae02b2073 77b9fd4785e4c9cc55dcChina FinancialChinaCFCA Identity CARSA40966/30/2040

Removed/Retired Root Certificates

Symantec retired five old certificates.
Entrust retired a 1024 bit root certificate.

Comodo retired a Usertrust root expiring in 2019.
Unizeto CERTUM retired a certificate, I think based on bugzilla they are reissuing a new one due to BR updates.
Camerfirma is retiring a 2047 bit root certificate, legacy of old buggy software.
SG Trust Services (Societe Generale) seems to be out of the program.

SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmExpirationExpiration
99a69be61afe886b4d2b 82007cb854fc317e1539EntrustCanadaEntrustRSA10245/25/2019
0c628f5c5570b1c957fa fd383fb03d7b7dd7b9c6SG Trust ServicesFranceSG Trust ServicesRSA40969/5/2030
3e5d358f283a0f647c1c 927ffbaad4852d997256Unizeto CERTUMPolandCertum Trusted Network CA 2RSA409610/6/2046
ee29d6ea98e632c6e527 e0906f0280688bdf44dcCamerfirmaSpainChambersign Public Notary RootRSA20489/30/2037
58119f0e128287ea50fd d987456f4f78dcfad6d4ComodoUSAUSERTrustRSA20486/24/2019
ae5083ed7cf45cbc8f61 c621fe685d794221156eSymantecUSATC TrustCenter Class 2 CA IIRSA204812/31/2025
a69a91fd057f136a4263 0bb1760d2d51120c1650SymantecUSATC TrustCenter Class 4 CA IIRSA204812/31/2025
6b2f34ad8958be62fdb0 6b5ccebb9dd94f4e39f3SymantecUSATC TrustCenter Universal CA IRSA204812/31/2025
9656cd7b57969895d0e1 41466806fbb8c6110687SymantecUSATC TrustCenter Universal CA IIIRSA204812/31/2029
c8ec8c879269cb4bab39 e98d7e5767f31495739dSymantecUSAVeriSignRSA20487/16/2036

Changed Trust Attributes

VRK Gov. Root CA (Finland) added TimeStamp Signing certificate purpose
LAWTrust Root Certification Authority (New Zealand) removed Server Authentication certificate purpose.

Saturday, July 4, 2015

June 30, 2015 Apple iOS / OS X Certificate Trust update

Apple Certificates Trust List changes in iOS 8.4 an OS X

List of available trusted root certificates in iOS 8
List of available trusted root certificates in OS X Yosemite

Both show Last Modified: Jun 30, 2015, the previous modification was April 9, 2015.  I downloaded them and compared a difference with the previous versions.  They're big lists, so to make it simple:

The only change affects the CNNIC, China Internet Network Information Center. Two Root Certificates from CNNIC were removed from the Trust Store, and a whitelist of previously issued certificates were added.

Apple says: "An intermediate certificate was incorrectly issued by the certificate authority CNNIC. This issue was addressed through the addition of a mechanism to trust only a subset of certificates issued prior to the mis-issuance of the intermediate."

The CNNIC / MCS incident received substantial coverage, I won't rehash it here but link to the major primary source commentaries.  

  1. Maintaining digital certificate security - Google
  2. The MCS Incident and Its Consequences for CNNIC - Mozilla (PDF)
  3. MCS Response to Google Blog - MCS 
  4. Clarification on some media’s claim that “CNNIC has issued certificates for MITM attack” - CNNIC
  5. Google Chrome will banish Chinese certificate authority for breach of trust - Arstechnica.com

While the CNNIC root certificates are not trusted, Apple added a lot of existing certificates issued by CNNIC before April 1, 2015.  Comparing to the actions others, it seems Google (1) is using the "publicly disclosed whitelist" while Mozilla (2) decided to implement a date based approach.  Mozilla has a tracking bug for items that CNNIC must address in order to get reinstated.

SHA1 Fingerprint: 4F99AA93FB2BD13726A1994ACE7FF005F2935D1E
China Internet Network Information Center EV Certificates Root  China Internet Network Information Center EV Certificates Root  RSA  2048 bits  SHA-1  48 9F 00 01  07:11:25 Aug 31, 2030 
SHA1 Fingerprint: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
CNNIC ROOT  CNNIC ROOT  RSA  2048 bits  SHA-1  49 33 00 01  07:09:14 Apr 16, 2027  Not EV 

Apple provides more information about the "partial set" of CNNIC issued certificates that are being grandfathered in.

  1. About the security partial trust allow list

CNNIC EV Certificates Root -> CNNIC EV SSL

       Some interesting entries are below.  These don't appear to conform to EV baseline requirements (unqualified) unless the hostname is just not printed correctly, or they may not be server authentication certificates.  Five are already expired.  The unqualified names appear to be be CNNIC internal for PKI operations (RA=Registration Authority, etc).

Certificate NameAlgorithmSerial NumberExpiration
aa01 1024 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 DC 11-2016
RASERVER 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 7D 9-2015
auth.cnidrz.cn 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C0 4-2015
www.cnidrz.cn 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C1 4-2015
www.e-shenhua.com 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 BB 5-2015
www.sfn.cn 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C5 5-2015
www.sudu.cn 2048 bits  SHA-1 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C2 4-2015

      This list has 1429 certificates, 318 of which are expired. I picked out some hosts below that are of interest.  I checked a few sites to see if they are reachable, and wasn't able to verify any.  I did find a few that are using WoSign certs (www.escience.cn) for example.  The addresses in the table below might be CNNIC internal (RA means Registration Authority in a PKI for example).

Certificate NameAlgorithmSerial NumberExpiration 1024 bits  SHA-1 44 F3 00 01 9-2015 1024 bits  SHA-256 00 92 E0 FA DA E7 0E D8 01 3A 5B C7 9E A0 63 76 F2 11-2024 2048 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 C9 9-2015 2048 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 CA 9-2015
aa001 1024 bits  SHA-1 1C 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 E0 5-2015
aa001 1024 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 18 8D 5-2015
aa003 1024 bits  SHA-1 1C 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 E1 5-2015
admin 1024 bits  SHA-256 00 D4 BA 5D 74 09 B2 E9 8A DF 20 57 D2 3A C8 18 F6 12-2015
admin 1024 bits  SHA-256 5A B1 E6 B4 CA F6 9D 97 CA 8E 61 AC D1 25 D5 19 2-2020
admin 1024 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 18 9F 6-2016
eee 2048 bits  SHA-256 00 E5 B6 35 17 43 47 B6 D0 FD 11 14 5B 34 8D 56 22 12-2015
firstpa 1024 bits  SHA-256 00 EF 1E 7B DE 2C D0 20 CC 34 D2 EF 30 EC 8B 9E 60 11-2024
firstpa 1024 bits  SHA-1 44 F3 00 02 9-2015
ra 1024 bits  SHA-256 00 8F B6 2D 47 FE 73 F1 00 EE BA 22 D0 7B 4B 6B 9F 12-2019
ra 1024 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 5E 3-2017
raadmin 1024 bits  SHA-256 79 3E 14 07 1F 0E 08 8C 7F 6D 15 95 2A A3 C8 69 12-2015
rads 1024 bits  SHA-256 25 79 DF 31 EC 34 B4 8D 5F DA 82 AD B6 E2 10 90 12-2019
radstest 1024 bits  SHA-256 00 C7 05 AA 86 67 C1 27 A6 08 8A 09 E3 8E B5 DD F5 12-2015
sslsecondpa 1024 bits  SHA-1 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 14 74 7-2015
t1 2048 bits  SHA-256 25 D8 B2 5E 3C 7A 78 CD AB 97 06 4F 0C 9C 9B 84 12-2015
test 1024 bits  SHA-256 25 EB 7D 72 B9 C0 47 62 73 22 C8 E7 ED 26 57 A9 12-2015
test 2048 bits  SHA-256 48 98 DF D6 CE 28 ED B9 6A 55 82 65 B2 AD 92 26 12-2015
test.cnnic.cn 1024 bits  SHA-256 00 C3 8B 4C D7 E9 81 FD 71 B5 71 A8 74 65 B6 F1 CE 12-2015
test1 1024 bits  SHA-256 00 C1 DF C2 8A 44 80 44 25 82 62 8C 66 C8 02 31 FD 12-2015
test1.cnnic.cn 1024 bits  SHA-256 6C F8 68 07 8F 67 DA 11 F9 30 E7 B2 5D CD 49 9F 12-2015

Tuesday, June 23, 2015

June 23, 2015 Microsoft Certificate Trust List Update (Unofficial)

Microsoft June 23, 2015 Certificate Trust List Update 

Updated June 27 to reformat New Certificates section

I was reading Mozilla's Bugzilla, in which a gentleman from Keynectis/Opentrust stated:
We have been included in Microsoft root store. This has been confirmed by Jody. 5 new root CAs will be available in Microsoft June release, planned on the 23rd.

If you read my previous post on the Microsoft Certificate Trust List you'd know that it's hard to anticipate Microsoft certificate trust list changes.

To Download a mirror of the Microsoft Certificate Trust List:

md .\wu
certutil.exe -syncwithwu .\wu

I checked this afternoon, yes, the CTL was updated.  Some quick analysis of this change, which added 17 Root Certificates and removed 1.

Several of the new certificates are not trusted for Server Authentication.
There are a few new Certificate Authorities, of which I don't have much information.

I wrote a script to build a MSCACERT.PEM file using the MS Certificate Trust List with just certificates trusted for server authentication, available here:


Microsoft Used to document these changes, for example linked below.  Maybe they will start announcing trust changes again soon.


The last update is a PDF released in September 2014, which welcomed Saudi Arabia's CA. sha1sum "Windows Root Certificate Program Members - Sept 2014.pdf" 

Windows Root Certificate Program Members - Sept 2014.pdf

For an earlier update on Microsoft's trust list changes this year see:

Update, three of these are ECC 384 bit Roots.

5 2048 bit / sha256WithRSAEncryption
6 4096 bit / sha256WithRSAEncryption
1 4096 bit / sha384WithRSAEncryption
2 4096 bit / sha512WithRSAEncryption
3 384 bit / ecdsa-with-SHA384

The ECC Roots with with links to their test website:
C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
C=FR, O=Certplus, CN=Certplus Root CA G2
C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root

Note (6/28) the WoSign new certificates are included in the Mozilla renewal request

New Certificate Authorities

Notarius Inc of Canada - http://www.notarius.com
     Trusted for Client Authentication, Secure Email, and Document Signing.
     "Notarius is a non-profit organization founded on 19 June 1996 by the Chambre des notaires du Québec (CNQ). Certified ISO 27001:2005, ISO 9001:2008 and recognized by the Conseil du trésor du Québec, Notarius issues digital signatures to Canadian professionals and their business partners."

    WebTust Seal: https://cert.webtrust.org/SealFile?seal=1859&file=pdf

Deutscher Sparkassen Verlag GmbH of Germany (6/28: not new)

Swedish Social Insurance Agency of Sweden
  Trusted for all.
  "Försäkringskassan’s role is to administer social insurance and to ensure that you get the benefits and allowances you are entitled to."

MULTICERT - Servi\xC3\xA7os de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica S.A. of Portugal
   Trusted for all.
   "MULTICERT has started its business activity in 2002 with a group of 16 employees. Over the years, we have consolidated ourselves as project developers and as a digital security solutions company, bringing our expertise and technical knowledge into the electronic certification field. Our expertise has been acquired in several projects in which we participated, both in the banking and government sectors."
   Submitted to Mozilla

National Digital Certification Agency of Tunisia (6/28: Not new)
   Home page is anchored to old revoked root.

New Root Certificates (17)

SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmExpirationTrusted For
1f3f1486b531882802e87b624d420295a0fc721aNotarius IncCanadaNotarius Root Certificate AuthorityRSA409612-2034Client
0f36385b811a25c39b314e83cae9346670cc74b4GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.ChinaGDCA TrustAUTH R5 ROOTRSA409612-2040Server Client Code Time
fbeddc9065b7272037bc550c9c56debbf27894e1WoSign CA LimitedChinaCertification Authority of WoSign G2RSA204811-2044Server Client Code Time
d27ad2beed94c0a13cc72521ea5d71be8119f32bWoSign CA LimitedChinaCA WoSign ECC RootECDSA38411-2044Server Client Code Time
22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766OpenTrustFranceCertplus Root CA G1RSA40961-2038Server Client Code
4f658e1fe906d82802e9544741c954255d69cc1aOpenTrustFranceCertplus Root CA G2ECDSA3841-2038Server Client Code
7991e834f7e2eedd08950152e9552d14e958d57eOpenTrustFranceOpenTrust Root CA G1RSA40961-2038Server Client Code
795f8860c5ab7c3d92e6cbf48de145cd11ef600bOpenTrustFranceOpenTrust Root CA G2RSA40961-2038Server Client Code
6e2664f356bf3455bfd1933f7c01ded813da8aa6OpenTrustFranceOpenTrust Root CA G3ECDSA3841-2038Server Client Code
1b3d1114ea7a0f9558544195bf6b2582ab40ce9aDeutscher Sparkassen Verlag GmbHGermanyS-TRUST Universal Root CARSA204810-2038Server Client Time
3bc6dce00307bd676041ebd85970c62f8fda5109India PKIIndiaCCA India 2015 SPLRSA20481-2025Client Time
a2b86b5a68d92819d9ce5dd6d7969a4968e11991India PKIIndiaCCA India 2014RSA20483-2024Client Time
46af7a31b599460d469d6041145b13651df9170aMULTICERTPortugalMULTICERT Root Certification Authority 01RSA40964-2039Server Client Code Time
32f442093b36d7031b75ca4daddcb327faa02b9cSwedish Social Insurance AgencySwedenSwedish Government Root Authority v2RSA40965-2040Server Client Code Time
9638633c9056ae8814a065d23bdc60a0ee702fa7Tunisian National Digital Certification AgencyTunisiaTunisian Root Certificate Authority - TunRootCA2RSA40965-2027Server Client Code Time
2c8affce966430ba04c04f81dd4b49c71b5b81a0Cisco SystemsUSACisco RXC-R2RSA20487-2034Server Client
8094640eb5a7a1ca119c1fddd59f810263a7fbd1GlobalSignUSAGlobalSign Root CA - R6RSA409612-2034Code Time

Notes: (1)
"GlobalSign is a WebTrust-certified certificate authority and provider of Identity Services. Founded in 1996. and presently a subsidiary of GMO CLOUD K.K. in Japan, the company offers a diverse range of Identity service solutions."
9.1.4 Issuer Country Name Field
Certificate Field: issuer:countryName (OID
Required/Optional: Required
Contents: This field MUST contain the two-letter ISO 3166-1 country code for the country in which the issuer’s place of business is located.

Removed/Retired Root Certificates

This is the 1024bit Equifax root.
SHA1 Fingerprint=DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
subject= /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1

Saturday, June 13, 2015

Elliptic Curve Certificate Authority Ecosystem

This week (June 11-12) saw a lot of buzz around the Workshop on Elliptic Curve Cryptography Standards #ECCWorkshop held at the United States NIST.  This provided a dramatic mixture of high math, high drama, public policy, and painful attempts to avoid mentioning Edward Snowden.

One very interesting presentation was given by a CA:

  1. Symantec's view on current state of ECC 
    Presented by: Rick Andrews, Symantec (audio out of sync)

In his presentation, Rick mentioned the number ECC Roots that are currently supported by browsers.  These are all signed using the old NIST curves P384 and P256 (GlobalSign R4).  While it might seem that the (hopefully) new standard curves would make these irrelevant, in fact they are probably going to be used to sign new intermediates to bootstrap the trust, to avoid IP issues with the RSA roots (or the other way around).

All of the ECDSA certificate authorities are based in the United States (Entrust appears to have a Canadian parent).  Symantec owns Verisign and Thawte, so there are really only 5 Certificate Authorities that offer ECDSA certificates.  All of the CAs belong to the CA Security Council , which is appears to be a marketing council not very unlike the National Dairy Council.

The presentation is comprehensive (go watch it, I'll wait), but while he summarizes the certificates and roots he didn't provide a table listing them, so here is one, along with Test URLs where I could find them.

StatusRoot CA NameSHA1 Thumbprint
AMNDEntrust RootCertification Authority- EC120D80640DF9B25F512253A11EAF7598AEB14B547
MNDCOMODO ****9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311
MNUSERTrust ****D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
AMNDDigiCert Assured ID Root G3F517A24F9A48C6C9F8A200269FDC0F482CAB3089
AMNDDigiCert Global RootG37E04DE896A3E666D00E687D33FFAD93BE83D349E
AMNGlobalSign ECC RootCA - R4 *56969562E4080F424A1E7199F14BAF3EE58AB6ABB
AMNGlobalSign ECC RootCA - R5 *51F24C630CDA418EF2069FFAD4FDD5F463A1B69AA
AMNDGeoTrust Primary Certification Authority- G28D1784D537F3037DEC70FE578B519A99E610D7B0
AMSymantec Class 1 Public Primary Certification Authority - G4 ***84F2E3DD83133EA91D19527F02D729BFC15FE667
AMSymantec Class 2 Public Primary Certification Authority - G4 ***6724902E4801B02296401046B4B1672CA975FD2B
AMSymantec Class 3 Public Primary Certification Authority - G458D52DB93301A4FD291A8C9645A08FEE7F529282
AMNDthawte Primary RootCA - G2AADBBC22238FC401A127BB38DDF41DDB089EF012
AMNDVeriSign Class 3 Public Primary Certification Authority - G4 *22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
AMNDTrend Micro **B8236B002F1D16865301556C11A437CAEBFFC3BB

A= Apple
M = Microsoft
N = Mozilla NSS
D = anDroid

Also, just since it's always handy: Symantec SHA256 Test Page

Symantec has 5 trusted roots, I don't see the G4 roots on their roots page, and can't find test urls for them.  They don't appear to have submitted them to Mozilla or Android which would make the test urls public.  The Verisign root is documented as not being in use.

* "VeriSign Class 3 Public Primary CA - G4 Description: While this root is not being used today for Symantec's commercial certificate offerings, it is an ECC (Eliptic Curve Cryptography) root that will be used in the future to as the root of Trust for Class1, 2 and 3 certificates ECC certificates and should be included in root stores. ?"

** AffirmTrust ECC root test page uses the wrong hostname (commercial.affirmtrust.com) rather than "premiumecc.affirmtrust.com"

*** The Symantec Class 1&2 G4 certificates don't have test URLs listed in the bugzilla submissions, suggesting they are "non-SSL" roots.  This can be confirmed with certutil on Windows.

certutil -verify 6724902e4801b02296401046b4b1672ca975fd2b.crt
Verified Issuance Policies: All
Verified Application Policies: Client Authentication Secure Email
Cert is a CA certificate
Cannot check leaf certificate revocation status

CertUtil: -verify command completed successfully.

**** The Comodo & UserTrust ECC roots are not directly trusted by Android or Apple.  However, Comodo has cross signed intermediates to other roots that are trusted, so these links work, but the trust is asserted using sha384withRSA.


*5 GlobalSign says "ECC Certificates (Not yet in use.)".

Friday, June 5, 2015

June 9 Update:

In what is probably just a case of great minds thinking alike, the US House of Representatives Energy & Commerce committee sent letters to the browser vendors asking about restricting government CAs.


On June 5, 2015, Microsoft updated the

"Microsoft Trusted Root Certificate: Program Requirements"

I think so this is when it was changed. There is no date or version on the page, unlike the former version you can't tell when it changed or view revision history.


The previous version was at the link below, which shows the history which was updated to redirect to the page above.


The second to last word on the current page is a typo "
thhhe", when that is fixed we'll know something changed, but what... (I archived it).


A lot has changed, some notable and welcome changes:

 "7. All roots that are being used to issue new certificates, and which directly or transitively chain to a certificate included in the Program, must either be limited or be publicly disclosed and audited."

This seems to mean Intermediate Certificate Authority Certs require WebTrust / ETSI audits, or constraints. This is great news, many of the breaches in the past have been from sub-CAs, including the recent CNNIC incident.

 "8. Government CAs must restrict server authentication to .gov domains and may only issues other certificates to the ISO3166 country codes that the country has sovereign control over (see http://aka.ms/auditreqs section III for the definition of a “Government CA”). 

 9. Government CAs that also operate as commercial, non-profit, or other publicly-issuing entities must use a different root for all such certificate issuances (see http://aka.ms/auditreqs section III for the definition of a “Commercial CA”)."

These are changes that people have been clamoring for, for example concern about US and other government Certificate Authorities being able to issue general server authentication certificates.


Transparency. Mozilla provides a good example, everything is transparent.  Microsoft might want to allow applications to remain non-public during the initial process.  However, this is PUBLIC Key Infrastructure, customers have given MS their trust. Once a CA is accepted and scheduled for distribution, customers should have the opportunity to review the criteria and decide whether to accept or block the trust. NIST.SP.800-52r1 section 4.5.2 requires administrators to manage the certificate trust list.

Minimum transparency would include a public notice after Step 2 of the intake process, along with public comment period. Public comments are normal for IETF, NIST, and other standards discussions, and could occur here. There is a possibility that the public may have strong, even misguided opinions but a robust public process can survive public discourse. 

When the new update to the Root Certificate Trust list is released, it should include advance customer notification such as through the Security Bulletin process.

Saturday, April 25, 2015

Analysis of the "List of available trusted root certificates in OS X Yosemite"

In the OS X Security update 2015-004/Yosemite 10.10.3, Apple updated the Certificate Trust List, or "CTL".  The CTL is the list of Certificate Authority Certificates (CA Certs) that the browser and operating systems trust for establishing secure web connections (SSL/TLS, aka HTTPS).  Apple has been posting the list of certificates in the past few updates, which is a good step toward being more transparent, after all transparency is a critical requirement for Trustworthiness.


However, the list falls short.  For a normal user, it's a bunch of gobbledygook. For technical analysis, it is missing the key element (SHA1 Fingerprint) that is used to uniquely identify a certificate with high certainty.  Additionally the list doesn't explain what changes have occurred since the previous release, and why.  To really analyze it I had to compare extracts of the different certificate trust lists, made available on github by other researchers.

Briefly for the "normal user", the CA Certificates are each controlled by a Certificate Authority (CA).  Each CA may own more than one "Root" Certificate, for example they may have different expiration dates or support different features, or the CA may have acquired other companies and not yet transitioned customers to their own "Root Certificates".  The Apple Certificate trust list determine basically what CAs Safari or Chrome will trust, which means where websites can purchase certificates for secure web sites.  (FireFox has it's own list).

For the "Technical user", including those required to manage their organizations' Certificate Trust Lists, below is a breakdown of the certificates added and removed, and some inference as to why.

Overall this change from 10.10.0 to 10.10.3 includes welcome cleanup and reasonable preparation for future security requirements, but it's hard to tell that from the bulletin.

6 New CA Certificates 4096bit RSA Certificates from 3 existing Certificate Authorities

One new 4096bit CA Certificate for existing CA "ANF Autoridad de Certification" in Spain.
   ANF is a WebTrust audited, CabForum member, with current CPS & Audits
   English: https://www.anf.es/en/

Two new 4096bit CA Certificates for existing CA "Identrust", in the United States of America.
   Identrust is a WebTrust audited Certificate authority with current CPS & Audits

Three new 4096bit CA Certificates for existing CA "QuoVadis Limited"
   QuoVadis is a WebTrust audited, CabForum member, with current CPS & Audits, in Bermuda.
Removed Certificates (16 total)
     8 of these were 1024bit RSA certificates, removed as the industry is transitioning to 2048 or larger RSA Certificates.
     1 was expired.
     1 From SwissSign, 2048bit root retired in favor of 4096bit roots.
     2 from TDC Internet.DK, a Danish CA.  Denmark moved to "OCES" certificates for identifying people, so these companies no longer issue x.509 certificates.
     1 From VAS Latvijas Pasts SSI of Latvia
            Relevent discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=412747
     1 From of AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. of Columbia
     2 from KMD-CA.DK, a Danish CA that stopped issuing certificates in 2003/2004.  Below is their web site as of 2007, the last time the Internet Archive captured it.  I don't know why it took so long to remove, it appears one of the certificates was nearing expiration which triggered a review.  Possibly the CA had issued 10 year SSL Certificates and Apple waited for those to age out, thankfully newer CABForum baseline requirements limit certificates to about three years (39 months).

26CAFF09A7AFBAE96810CFFF821A94326D2845AA.pem  (!MSFT!MOZ)
C=ES, ST=Barcelona, L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ), O=ANF Autoridad de Certificacion, OU=ANF Clase 1 CA/emailAddress=info@anf.es/serialNumber=G63287510, CN=ANF Global Root CA
            Not Before: Jun 10 17:45:38 2013 GMT
            Not After : Jun  5 17:45:38 2033 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

1B8EEA5796291AC939EAB80A811A7373C0937967.pem  (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3
            Not Before: Jan 12 17:27:44 2012 GMT
            Not After : Jan 12 17:27:44 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

093C61F38B8BDC7D55DF7538020500E125F5C836.pem   (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
            Not Before: Jan 12 18:59:32 2012 GMT
            Not After : Jan 12 18:59:32 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

4812BD923CA8C43906E7306D2796E6A4CF222E7D.pem  (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3
            Not Before: Jan 12 20:26:32 2012 GMT
            Not After : Jan 12 20:26:32 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

BA29416077983FF4F3EFF231053B2EEA6D4D45FD.pem  (+MSFT!MOZ)
C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1
            Not Before: Jan 16 17:53:32 2014 GMT
            Not After : Jan 16 17:53:32 2034 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

DF717EAA4AD94EC9558499602D48DE5FBCF03A25.pem  (+MSFT!MOZ)
C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
            Not Before: Jan 16 18:12:23 2014 GMT
            Not After : Jan 16 18:12:23 2034 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)


KMD-CA.DK ceased operation as a Certificate Authority
C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Server/mail=infoca@kmd-ca.dk
            Not Before: Oct 16 19:19:21 1998 GMT
            Not After : Oct 12 19:19:21 2018 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
            Not Before: Nov 21 23:24:59 2000 GMT
            Not After : Nov 22 23:24:59 2015 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

21FCBD8E7F6CAF051BD1B343ECA8E76147F20F8A (!MSFT!MOZ)
C=DK, O=TDC Internet, OU=TDC Internet Root CA
            Not Before: Apr  5 16:33:17 2001 GMT
            Not After : Apr  5 17:03:17 2021 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Not Before: Apr  5 16:33:17 2001 GMT, Not After: Apr  5 17:03:17 2021 GMT

8781C25A96BDC2FB4C65064FF9390B26048A0E01 (+MSFT!MOZ)
            Not Before: Feb 11 08:39:30 2003 GMT
            Not After : Feb 11 09:09:30 2037 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Not Before: Feb 11 08:39:30 2003 GMT, Not After: Feb 11 09:09:30 2037 GMT

086418E906CEE89C2353B6E27FBD9E7439F76316  (+MSFT!MOZ)
C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SSI(RCA)
            Not Before: Sep 13 09:22:10 2006 GMT
            Not After : Sep 13 09:27:57 2024 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

C=CO, O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A., CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
            Not Before: Nov 27 20:46:29 2006 GMT
            Not After : Apr  2 21:42:02 2030 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Removed because it was replaced by
564B6F8C5638DC055BBA2BA1390F7E31954A5550  (!MSFT-MOZ)
C=CH, O=SwissSign, CN=SwissSign CA (RSA IK May 6 1999 18:00:58)/emailAddress=ca@SwissSign.com
            Not Before: Nov 26 23:27:41 2000 GMT
            Not After : Nov 26 23:27:41 2031 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Removed because they expired
C=KR, O=KISA, OU=Korea Certification Authority Central, CN=KISA RootCA 3
            Not Before: Nov 19 06:39:51 2004 GMT
            Not After : Nov 19 06:39:51 2014 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Removed because they are 1024bit (too weak)
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
            Not Before: Jan  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
            Not Before: Jun 21 04:00:00 1999 GMT
            Not After : Jun 21 04:00:00 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not Before: May 18 00:00:00 1998 GMT
            Not After : Aug  1 23:59:59 2028 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado
            Not Before: Feb 25 14:10:22 1999 GMT
            Not After : Feb 20 14:10:22 2019 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=US, O=Equifax, OU=Equifax Secure Certificate Authority
            Not Before: Aug 22 16:41:51 1998 GMT
            Not After : Aug 22 16:41:51 2018 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
            Not Before: Jun 21 04:00:00 1999 GMT
            Not After : Jun 21 04:00:00 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

Monday, April 13, 2015

Monitoring the Microsoft Certificate Trust List

Monitoring the Microsoft Certificate Trust List

Certificate Trust Lists (CTL) play a very important part in the internet trust ecosystem, known as the Internet Public Key Infrastructure.  A CTL is a collections of certificates controlled by Certificate Authorities (CAs).  There is a lot of focus on Certificate Authorities, particularly when one does something they should not.  However, the manager of the CTL is typically the browser vendor - primarily Apple, Microsoft, or Mozilla.  The browser vendor ultimately decides what CA Certs to preload into the browser/OS.  Here I'll show some analysis of the Microsoft CTL, particularly changes that have been made recently.

I'll focus on the Microsoft CTL because I think it has been a bit opaque.  Microsoft has diverse requirements for their CTL, because it supports more usage patterns than Mozilla for example.  Microsoft also has a customer base that includes governments and large organizations, which an independent organization might not be beholden to.

Microsoft information at the following site:


But frankly, they haven't been updating it lately.  Maybe they think their changes to the CTL are part of the Windows 10 Beta, but they are making changes on Windows Update which all clients that pull updates consume.

The Windows Certificate Trust List is Dynamic


The Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8 operating systems include an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis. In Windows Server 2012 R2 and Windows 8.1, additional capabilities are available to control how the CTLs are updated."

In the current default configuration, Windows operating system pulls updates to the CTL automatically from Windows Update, using the "Update Root Certificates" component.  This allows for responsiveness, in that a certificate can be revoked ("disallowed") quickly.  However, the ability to automatically update the certificate trust list can give a bad impression if not done transparently.

Microsoft could be acting more transparently.

Last September, I was working with certutil and noticed that Microsoft had updated the CTL.  The CTL is a critical component of Windows, so one would expect that some security bulletin would herald any change.  One might expect this to happen on a regular interval, with advance notice so site administrators following NIST guidelines can validate that the CA Certificate is trustworthy.  The last documented change to the Microsoft CTL was September 12, 2014, but it has been changed three times since.

1. September 12, 2014, Microsoft signed a new CTL.  I noticed it on September 22.  This included four new Certificate Authorities, and a lot of new CA certs.  The new CA Certs were mostly to assist in the SHA2 migration, below are the new Certificate Authorities.

"NEW September 29, 2014 - The September 2014 Root Certificates Update  has been updated and the member list is available as a PDF document."

New Certificate Authorities should be a point of interest, if not concern.  Some people for example might not really want to trust the Government of Saudi Arabia, for various non-technical reasons.

CA Owner: Government of Hungary NISZ Zrt 
Country: Hungary 
CA Name: Főtanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató 
Algo: RSA sha256 4096 9/13/2033 
SHA1: FFB7E08F66E1D0C2582F0245C4970292A46E8803

CA Owner: Government of Saudi Arabia, NCDC
Country: Saudi Arabia
CA Name: Saudi National Root CA
Algo: RSA sha256 2048 11/28/2029
SHA1: 8351509B7DF8CFE87BAE62AEB9B03A52F4E62C79 

CA Owner: Image-X Enterprises Inc 
Country: USA 
Algo: RSA sha512 4096 6/20/2030 
SHA1: 9F8DE799CF8764ED2466990564041B194919EDE8

Country: Japan
CA Name: JCAN Root CA1
Algo: RSA sha1 2048 12/30/2029
SHA1: B954F0B5FB2E553CED3A812E279F27D4A0110329

2. January 22, 2015, Microsoft signed a new CTL.  I downloaded this February 19.  This update has still not been documented on Microsoft's website (linked above).  This update included the elimination of one CA Cert, and the addition of seven new CA Certificates, four for existing CAs.

The one new Certificate Authority is interesting.  TrustCor Systems S. de R.L. is a company registered in Panama, and the certificates list Panama as the country.  They have hosting in Curacao, which is an island nation in the Caribbean formerly part of the Dutch Antilles.  Their website is https://www.trustcorsystems.com

CA Owner: TrustCor
Country: Panama, hosting in Curacao, Canadians outside Toronto.

CA Name: TrustCor Systems S. de R.L.,
Comment: I had email discussions with an employee of TrustCor.  They are a startup, have passed a WebTrust audit but not yet issuing certificates to the general public.
Algo:  RSA sha256 4096 12/31/2034
SHA1:  3ee22adc267dde0eb0231745f6cf9d6eabd33c19

Algo: RSA sha256 2048 12/31/2029
SHA1:  9cde26d07bb68de350c835e7950ee81cde9787f5

Algo: RSA sha256 2048 12/31/2029
SHA1:  be1af285f786cddbc430382eeff2a66dfbcd5dd0

3. February 23, 2015, Microsoft signed a new CTL.  I downloaded this on March 11.  (I'm now checking daily).  This was a very interesting change, because it reduced the number of CA certificates in the trust list from 417 to 354.  Certificates were eliminated apparently for one of three reasons; expiration,  protocol retirement (1024 bit), and cessation of business.   The certificates removed for cessation were from AOL, DanID (Denmark), and Netaxis (France). 

This purge is a terrific step for Microsoft to take.  I speculate that the work is associated with the Windows 10 development, which will also include adding certificate pinning directly to the trust store.  Mozilla and Chrome do this, and Microsoft provides pinning constraints through the Enhanced Mitigation Experience Toolkit (EMET).
The three removed without obvious (expired/1024bit) reasons were:

C=DK, O=TDC Internet, OU=TDC Internet Root CA

C=FR, O=NATIXIS, OU=0002 542044524, CN=CESAM

C=US, O=America Online Inc., CN=America Online Root Certification Authority 2

4. April 11, 2015.   I was on vacation, so not checking every single day, but on April 11, 2015 I noticed that Microsoft updated the certificate trust list again.  Oddly, the new file is also signed 2/23/2015 3:03PM.  Clearly though the files are different, as the SHA1SUM tells us if you download it every day. This time 15 CA Certs were removed, 7 of which are 1024bit so easily explained, 8 others were 2048/4096, and not expired, so could benefit from explanation.

CA Certificates removed in ~4/11 "stealth" update.  It used to be cool to make certificates that say "Locality = Internet".  Sorry Verisign, the Baseline Requirements now require you to submit to a Nation State!

C=ES, ST=BARCELONA, L=BARCELONA, O=IPS Seguridad CA, OU=Certificaciones, CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Expressz (Class C) Tanusitvanykiado
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com

C=AT, ST=Austria, L=Vienna, O=ARGE DATEN - Austrian Society for Data Protection, OU=A-CERT Certification Service, CN=A-CERT ADVANCED/emailAddress=info@a-cert.at
C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Global CA Root/emailAddress=global01@ipsca.com
L=Bogota AV Calle 26 N 68D-35, C=CO, O=Entidad de Certificacion Digital Abierta Certicamara S.A., CN=CERTICAMARA S.A.
C=AT, O=A-Trust, OU=A-Trust-nQual-01, CN=A-Trust-nQual-01
C=TN, O=ANCE, OU=Certification & PKI, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Main CA Root/emailAddress=main01@ipsca.com

C=BG, O=InfoNotary PLC, DC=root-ca, CN=InfoNotary CSP Root, OU=InfoNotary CSP Root/emailAddress=csp@infonotary.com

Conclusion and next steps

Over the next year, as SHA1 deprecation and Windows 10 release move closer, we can expect further efforts to clean up the CTL.  There are a number of certificates with questionable cryptographic parameters (exponent 3, 1024bit, expired, no country, old CPS audits, etc).  Plus, I can show how to make a verified cacert.pem with only the 307 certificats that are valid for SSL Server Authentication (i.e., excluding code signing/time stamping certs).  I think Microsoft is making good progress, but just not explaining it to the world.