Monday, April 13, 2015

Monitoring the Microsoft Certificate Trust List

Monitoring the Microsoft Certificate Trust List

Certificate Trust Lists (CTL) play a very important part in the internet trust ecosystem, known as the Internet Public Key Infrastructure.  A CTL is a collections of certificates controlled by Certificate Authorities (CAs).  There is a lot of focus on Certificate Authorities, particularly when one does something they should not.  However, the manager of the CTL is typically the browser vendor - primarily Apple, Microsoft, or Mozilla.  The browser vendor ultimately decides what CA Certs to preload into the browser/OS.  Here I'll show some analysis of the Microsoft CTL, particularly changes that have been made recently.

I'll focus on the Microsoft CTL because I think it has been a bit opaque.  Microsoft has diverse requirements for their CTL, because it supports more usage patterns than Mozilla for example.  Microsoft also has a customer base that includes governments and large organizations, which an independent organization might not be beholden to.

Microsoft information at the following site:

But frankly, they haven't been updating it lately.  Maybe they think their changes to the CTL are part of the Windows 10 Beta, but they are making changes on Windows Update which all clients that pull updates consume.

The Windows Certificate Trust List is Dynamic

The Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8 operating systems include an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis. In Windows Server 2012 R2 and Windows 8.1, additional capabilities are available to control how the CTLs are updated."

In the current default configuration, Windows operating system pulls updates to the CTL automatically from Windows Update, using the "Update Root Certificates" component.  This allows for responsiveness, in that a certificate can be revoked ("disallowed") quickly.  However, the ability to automatically update the certificate trust list can give a bad impression if not done transparently.

Microsoft could be acting more transparently.

Last September, I was working with certutil and noticed that Microsoft had updated the CTL.  The CTL is a critical component of Windows, so one would expect that some security bulletin would herald any change.  One might expect this to happen on a regular interval, with advance notice so site administrators following NIST guidelines can validate that the CA Certificate is trustworthy.  The last documented change to the Microsoft CTL was September 12, 2014, but it has been changed three times since.

1. September 12, 2014, Microsoft signed a new CTL.  I noticed it on September 22.  This included four new Certificate Authorities, and a lot of new CA certs.  The new CA Certs were mostly to assist in the SHA2 migration, below are the new Certificate Authorities.

"NEW September 29, 2014 - The September 2014 Root Certificates Update  has been updated and the member list is available as a PDF document."

New Certificate Authorities should be a point of interest, if not concern.  Some people for example might not really want to trust the Government of Saudi Arabia, for various non-technical reasons.

CA Owner: Government of Hungary NISZ Zrt 
Country: Hungary 
CA Name: Főtanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató 
Algo: RSA sha256 4096 9/13/2033 
SHA1: FFB7E08F66E1D0C2582F0245C4970292A46E8803

CA Owner: Government of Saudi Arabia, NCDC
Country: Saudi Arabia
CA Name: Saudi National Root CA
Algo: RSA sha256 2048 11/28/2029
SHA1: 8351509B7DF8CFE87BAE62AEB9B03A52F4E62C79 

CA Owner: Image-X Enterprises Inc 
Country: USA 
Algo: RSA sha512 4096 6/20/2030 
SHA1: 9F8DE799CF8764ED2466990564041B194919EDE8

Country: Japan
CA Name: JCAN Root CA1
Algo: RSA sha1 2048 12/30/2029
SHA1: B954F0B5FB2E553CED3A812E279F27D4A0110329

2. January 22, 2015, Microsoft signed a new CTL.  I downloaded this February 19.  This update has still not been documented on Microsoft's website (linked above).  This update included the elimination of one CA Cert, and the addition of seven new CA Certificates, four for existing CAs.

The one new Certificate Authority is interesting.  TrustCor Systems S. de R.L. is a company registered in Panama, and the certificates list Panama as the country.  They have hosting in Curacao, which is an island nation in the Caribbean formerly part of the Dutch Antilles.  Their website is

CA Owner: TrustCor
Country: Panama, hosting in Curacao, Canadians outside Toronto.

CA Name: TrustCor Systems S. de R.L.,
Comment: I had email discussions with an employee of TrustCor.  They are a startup, have passed a WebTrust audit but not yet issuing certificates to the general public.
Algo:  RSA sha256 4096 12/31/2034
SHA1:  3ee22adc267dde0eb0231745f6cf9d6eabd33c19

Algo: RSA sha256 2048 12/31/2029
SHA1:  9cde26d07bb68de350c835e7950ee81cde9787f5

Algo: RSA sha256 2048 12/31/2029
SHA1:  be1af285f786cddbc430382eeff2a66dfbcd5dd0

3. February 23, 2015, Microsoft signed a new CTL.  I downloaded this on March 11.  (I'm now checking daily).  This was a very interesting change, because it reduced the number of CA certificates in the trust list from 417 to 354.  Certificates were eliminated apparently for one of three reasons; expiration,  protocol retirement (1024 bit), and cessation of business.   The certificates removed for cessation were from AOL, DanID (Denmark), and Netaxis (France). 

This purge is a terrific step for Microsoft to take.  I speculate that the work is associated with the Windows 10 development, which will also include adding certificate pinning directly to the trust store.  Mozilla and Chrome do this, and Microsoft provides pinning constraints through the Enhanced Mitigation Experience Toolkit (EMET).
The three removed without obvious (expired/1024bit) reasons were:

C=DK, O=TDC Internet, OU=TDC Internet Root CA

C=FR, O=NATIXIS, OU=0002 542044524, CN=CESAM

C=US, O=America Online Inc., CN=America Online Root Certification Authority 2

4. April 11, 2015.   I was on vacation, so not checking every single day, but on April 11, 2015 I noticed that Microsoft updated the certificate trust list again.  Oddly, the new file is also signed 2/23/2015 3:03PM.  Clearly though the files are different, as the SHA1SUM tells us if you download it every day. This time 15 CA Certs were removed, 7 of which are 1024bit so easily explained, 8 others were 2048/4096, and not expired, so could benefit from explanation.

CA Certificates removed in ~4/11 "stealth" update.  It used to be cool to make certificates that say "Locality = Internet".  Sorry Verisign, the Baseline Requirements now require you to submit to a Nation State!

L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Expressz (Class C) Tanusitvanykiado
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=

C=AT, ST=Austria, L=Vienna, O=ARGE DATEN - Austrian Society for Data Protection, OU=A-CERT Certification Service, CN=A-CERT ADVANCED/
C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification Electronique/
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Global CA Root/
L=Bogota AV Calle 26 N 68D-35, C=CO, O=Entidad de Certificacion Digital Abierta Certicamara S.A., CN=CERTICAMARA S.A.
C=AT, O=A-Trust, OU=A-Trust-nQual-01, CN=A-Trust-nQual-01
C=TN, O=ANCE, OU=Certification & PKI, CN=Agence Nationale de Certification Electronique/
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Main CA Root/

C=BG, O=InfoNotary PLC, DC=root-ca, CN=InfoNotary CSP Root, OU=InfoNotary CSP Root/

Conclusion and next steps

Over the next year, as SHA1 deprecation and Windows 10 release move closer, we can expect further efforts to clean up the CTL.  There are a number of certificates with questionable cryptographic parameters (exponent 3, 1024bit, expired, no country, old CPS audits, etc).  Plus, I can show how to make a verified cacert.pem with only the 307 certificats that are valid for SSL Server Authentication (i.e., excluding code signing/time stamping certs).  I think Microsoft is making good progress, but just not explaining it to the world.

No comments:

Post a Comment