Saturday, June 13, 2015

Elliptic Curve Certificate Authority Ecosystem

This week (June 11-12) saw a lot of buzz around the Workshop on Elliptic Curve Cryptography Standards #ECCWorkshop held at the United States NIST.  This provided a dramatic mixture of high math, high drama, public policy, and painful attempts to avoid mentioning Edward Snowden.

One very interesting presentation was given by a CA:

  1. Symantec's view on current state of ECC 
    Presented by: Rick Andrews, Symantec (audio out of sync)

In his presentation, Rick mentioned the number ECC Roots that are currently supported by browsers.  These are all signed using the old NIST curves P384 and P256 (GlobalSign R4).  While it might seem that the (hopefully) new standard curves would make these irrelevant, in fact they are probably going to be used to sign new intermediates to bootstrap the trust, to avoid IP issues with the RSA roots (or the other way around).

All of the ECDSA certificate authorities are based in the United States (Entrust appears to have a Canadian parent).  Symantec owns Verisign and Thawte, so there are really only 5 Certificate Authorities that offer ECDSA certificates.  All of the CAs belong to the CA Security Council , which is appears to be a marketing council not very unlike the National Dairy Council.

The presentation is comprehensive (go watch it, I'll wait), but while he summarizes the certificates and roots he didn't provide a table listing them, so here is one, along with Test URLs where I could find them.

StatusRoot CA NameSHA1 Thumbprint
AMNDEntrust RootCertification Authority- EC120D80640DF9B25F512253A11EAF7598AEB14B547
MNDCOMODO ****9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311
MNUSERTrust ****D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
AMNDDigiCert Assured ID Root G3F517A24F9A48C6C9F8A200269FDC0F482CAB3089
AMNDDigiCert Global RootG37E04DE896A3E666D00E687D33FFAD93BE83D349E
AMNGlobalSign ECC RootCA - R4 *56969562E4080F424A1E7199F14BAF3EE58AB6ABB
AMNGlobalSign ECC RootCA - R5 *51F24C630CDA418EF2069FFAD4FDD5F463A1B69AA
AMNDGeoTrust Primary Certification Authority- G28D1784D537F3037DEC70FE578B519A99E610D7B0
AMSymantec Class 1 Public Primary Certification Authority - G4 ***84F2E3DD83133EA91D19527F02D729BFC15FE667
AMSymantec Class 2 Public Primary Certification Authority - G4 ***6724902E4801B02296401046B4B1672CA975FD2B
AMSymantec Class 3 Public Primary Certification Authority - G458D52DB93301A4FD291A8C9645A08FEE7F529282
AMNDthawte Primary RootCA - G2AADBBC22238FC401A127BB38DDF41DDB089EF012
AMNDVeriSign Class 3 Public Primary Certification Authority - G4 *22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
AMNDTrend Micro **B8236B002F1D16865301556C11A437CAEBFFC3BB

A= Apple
M = Microsoft
N = Mozilla NSS
D = anDroid

Also, just since it's always handy: Symantec SHA256 Test Page

Symantec has 5 trusted roots, I don't see the G4 roots on their roots page, and can't find test urls for them.  They don't appear to have submitted them to Mozilla or Android which would make the test urls public.  The Verisign root is documented as not being in use.

* "VeriSign Class 3 Public Primary CA - G4 Description: While this root is not being used today for Symantec's commercial certificate offerings, it is an ECC (Eliptic Curve Cryptography) root that will be used in the future to as the root of Trust for Class1, 2 and 3 certificates ECC certificates and should be included in root stores. ?"

** AffirmTrust ECC root test page uses the wrong hostname ( rather than ""

*** The Symantec Class 1&2 G4 certificates don't have test URLs listed in the bugzilla submissions, suggesting they are "non-SSL" roots.  This can be confirmed with certutil on Windows.

certutil -verify 6724902e4801b02296401046b4b1672ca975fd2b.crt
Verified Issuance Policies: All
Verified Application Policies: Client Authentication Secure Email
Cert is a CA certificate
Cannot check leaf certificate revocation status

CertUtil: -verify command completed successfully.

**** The Comodo & UserTrust ECC roots are not directly trusted by Android or Apple.  However, Comodo has cross signed intermediates to other roots that are trusted, so these links work, but the trust is asserted using sha384withRSA.

*5 GlobalSign says "ECC Certificates (Not yet in use.)".

No comments:

Post a Comment