Tuesday, November 24, 2015

Microsoft November 23, 2015 Certificate Trust List Update Details

Microsoft November 23, 2015 Certificate Trust List Update Details

Edited 12/4 to show changed trust bits.
Microsoft has improved the transparency of their root certificate updates and the table, but clearly more is needed because people who do follow it are still taken by surprise.  http://hexatomium.github.io/2015/11/24/ms-quietly-adds-5-new-trusted-root-certs/

Microsoft's official announcements are now at aka.ms/rootupdates, also Jody Cloutier who manages the program has been posting notices on the CABForum mailing list.

Below is a summary of the last few updates, including detail on the November updates.

August 2015 update just added additional trust bits for two Certificate Authorities, allowing them to be trusted for more purposes.

"Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation)"
"Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing"

September 1, 2015 was an unscheduled update to replace a root that was allowed to expire.  

"an unscheduled update to the Trusted Root Store to update the expiration of the A-Trust-NQual-03 root."

November 23, 2015 includes the addition of four new certificates and removal of 10.

New Certificate Authorities

No new Certificate Authorities joined the program this update.

New Root Certificates (4)

Hellenic Academic and Research Institutions added two new certificates.  Along with adding ECDSA, these look to be planned replacements for the existing roots that will retire in 2018/19.
I.CA of Czech also appears to be planning for expirations.
China Financial adds one new root that is only trusted for Document Signing.

SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmSizeExpiration
010c0695a6981914ffbf 5fc6b0b695ea29e912a6Hellenic Academic and Research InstitutionsGreeceHellenic Academic and Research Institutions RootCA 2015RSA40966/30/2040
9ff1718d92d59af37d74 97b4bc6f84680bbab666Hellenic Academic and Research InstitutionsGreeceHellenic Academic and Research Institutions RootCA 2015ECDSA385SHA3846/30/2040
9b0959898154081bf6a9 0e9b9e58a4690c9ba104I.CA První certifikační autorita, a.s.Czech RepublicI.CA Root CARSA40965/27/2040
f02b70bde4eae02b2073 77b9fd4785e4c9cc55dcChina FinancialChinaCFCA Identity CARSA40966/30/2040

Removed/Retired Root Certificates

Symantec retired five old certificates.
Entrust retired a 1024 bit root certificate.

Comodo retired a Usertrust root expiring in 2019.
Unizeto CERTUM retired a certificate, I think based on bugzilla they are reissuing a new one due to BR updates.
Camerfirma is retiring a 2047 bit root certificate, legacy of old buggy software.
SG Trust Services (Societe Generale) seems to be out of the program.

SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmExpirationExpiration
99a69be61afe886b4d2b 82007cb854fc317e1539EntrustCanadaEntrustRSA10245/25/2019
0c628f5c5570b1c957fa fd383fb03d7b7dd7b9c6SG Trust ServicesFranceSG Trust ServicesRSA40969/5/2030
3e5d358f283a0f647c1c 927ffbaad4852d997256Unizeto CERTUMPolandCertum Trusted Network CA 2RSA409610/6/2046
ee29d6ea98e632c6e527 e0906f0280688bdf44dcCamerfirmaSpainChambersign Public Notary RootRSA20489/30/2037
58119f0e128287ea50fd d987456f4f78dcfad6d4ComodoUSAUSERTrustRSA20486/24/2019
ae5083ed7cf45cbc8f61 c621fe685d794221156eSymantecUSATC TrustCenter Class 2 CA IIRSA204812/31/2025
a69a91fd057f136a4263 0bb1760d2d51120c1650SymantecUSATC TrustCenter Class 4 CA IIRSA204812/31/2025
6b2f34ad8958be62fdb0 6b5ccebb9dd94f4e39f3SymantecUSATC TrustCenter Universal CA IRSA204812/31/2025
9656cd7b57969895d0e1 41466806fbb8c6110687SymantecUSATC TrustCenter Universal CA IIIRSA204812/31/2029
c8ec8c879269cb4bab39 e98d7e5767f31495739dSymantecUSAVeriSignRSA20487/16/2036

Changed Trust Attributes

VRK Gov. Root CA (Finland) added TimeStamp Signing certificate purpose
LAWTrust Root Certification Authority (New Zealand) removed Server Authentication certificate purpose.

No comments:

Post a Comment