Edited 12/4 to show changed trust bits.
Microsoft has improved the transparency of their root certificate updates and the table, but clearly more is needed because people who do follow it are still taken by surprise. http://hexatomium.github.io/2015/11/24/ms-quietly-adds-5-new-trusted-root-certs/
Microsoft's official announcements are now at aka.ms/rootupdates, also Jody Cloutier who manages the program has been posting notices on the CABForum mailing list.
Below is a summary of the last few updates, including detail on the November updates.
August 2015 update just added additional trust bits for two Certificate Authorities, allowing them to be trusted for more purposes.
"Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation)"
"Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing"
September 1, 2015 was an unscheduled update to replace a root that was allowed to expire.
November 23, 2015 includes the addition of four new certificates and removal of 10.
New Certificate Authorities
No new Certificate Authorities joined the program this update.
New Root Certificates (4)Hellenic Academic and Research Institutions added two new certificates. Along with adding ECDSA, these look to be planned replacements for the existing roots that will retire in 2018/19.
I.CA of Czech also appears to be planning for expirations.
China Financial adds one new root that is only trusted for Document Signing.
|SHA1 Thumbprint||Current CA Owner||Country||Root CA Name||Algorithm||Size||Expiration|
|010c0695a6981914ffbf 5fc6b0b695ea29e912a6||Hellenic Academic and Research Institutions||Greece||Hellenic Academic and Research Institutions RootCA 2015||RSA||4096||6/30/2040|
|9ff1718d92d59af37d74 97b4bc6f84680bbab666||Hellenic Academic and Research Institutions||Greece||Hellenic Academic and Research Institutions RootCA 2015||ECDSA385||SHA384||6/30/2040|
|9b0959898154081bf6a9 0e9b9e58a4690c9ba104||I.CA První certifikační autorita, a.s.||Czech Republic||I.CA Root CA||RSA||4096||5/27/2040|
|f02b70bde4eae02b2073 77b9fd4785e4c9cc55dc||China Financial||China||CFCA Identity CA||RSA||4096||6/30/2040|
Removed/Retired Root CertificatesSymantec retired five old certificates.
Entrust retired a 1024 bit root certificate.
Comodo retired a Usertrust root expiring in 2019.
Unizeto CERTUM retired a certificate, I think based on bugzilla they are reissuing a new one due to BR updates.
Camerfirma is retiring a 2047 bit root certificate, legacy of old buggy software.
SG Trust Services (Societe Generale) seems to be out of the program.
|SHA1 Thumbprint||Current CA Owner||Country||Root CA Name||Algorithm||Expiration||Expiration|
|0c628f5c5570b1c957fa fd383fb03d7b7dd7b9c6||SG Trust Services||France||SG Trust Services||RSA||4096||9/5/2030|
|3e5d358f283a0f647c1c 927ffbaad4852d997256||Unizeto CERTUM||Poland||Certum Trusted Network CA 2||RSA||4096||10/6/2046|
|ee29d6ea98e632c6e527 e0906f0280688bdf44dc||Camerfirma||Spain||Chambersign Public Notary Root||RSA||2048||9/30/2037|
|ae5083ed7cf45cbc8f61 c621fe685d794221156e||Symantec||USA||TC TrustCenter Class 2 CA II||RSA||2048||12/31/2025|
|a69a91fd057f136a4263 0bb1760d2d51120c1650||Symantec||USA||TC TrustCenter Class 4 CA II||RSA||2048||12/31/2025|
|6b2f34ad8958be62fdb0 6b5ccebb9dd94f4e39f3||Symantec||USA||TC TrustCenter Universal CA I||RSA||2048||12/31/2025|
|9656cd7b57969895d0e1 41466806fbb8c6110687||Symantec||USA||TC TrustCenter Universal CA III||RSA||2048||12/31/2029|
Changed Trust AttributesVRK Gov. Root CA (Finland) added TimeStamp Signing certificate purpose
LAWTrust Root Certification Authority (New Zealand) removed Server Authentication certificate purpose.