Saturday, April 25, 2015

Analysis of the "List of available trusted root certificates in OS X Yosemite"

In the OS X Security update 2015-004/Yosemite 10.10.3, Apple updated the Certificate Trust List, or "CTL".  The CTL is the list of Certificate Authority Certificates (CA Certs) that the browser and operating systems trust for establishing secure web connections (SSL/TLS, aka HTTPS).  Apple has been posting the list of certificates in the past few updates, which is a good step toward being more transparent, after all transparency is a critical requirement for Trustworthiness.

https://support.apple.com/en-us/HT202858

However, the list falls short.  For a normal user, it's a bunch of gobbledygook. For technical analysis, it is missing the key element (SHA1 Fingerprint) that is used to uniquely identify a certificate with high certainty.  Additionally the list doesn't explain what changes have occurred since the previous release, and why.  To really analyze it I had to compare extracts of the different certificate trust lists, made available on github by other researchers.

Briefly for the "normal user", the CA Certificates are each controlled by a Certificate Authority (CA).  Each CA may own more than one "Root" Certificate, for example they may have different expiration dates or support different features, or the CA may have acquired other companies and not yet transitioned customers to their own "Root Certificates".  The Apple Certificate trust list determine basically what CAs Safari or Chrome will trust, which means where websites can purchase certificates for secure web sites.  (FireFox has it's own list).

For the "Technical user", including those required to manage their organizations' Certificate Trust Lists, below is a breakdown of the certificates added and removed, and some inference as to why.

Overall this change from 10.10.0 to 10.10.3 includes welcome cleanup and reasonable preparation for future security requirements, but it's hard to tell that from the bulletin.



6 New CA Certificates 4096bit RSA Certificates from 3 existing Certificate Authorities

One new 4096bit CA Certificate for existing CA "ANF Autoridad de Certification" in Spain.
   ANF is a WebTrust audited, CabForum member, with current CPS & Audits
   https://cert.webtrust.org/ViewSeal?id=1833
   https://www.anf.es
   English: https://www.anf.es/en/

Two new 4096bit CA Certificates for existing CA "Identrust", in the United States of America.
   Identrust is a WebTrust audited Certificate authority with current CPS & Audits
   https://cert.webtrust.org/ViewSeal?id=1720
   https://www.identrust.com

Three new 4096bit CA Certificates for existing CA "QuoVadis Limited"
   QuoVadis is a WebTrust audited, CabForum member, with current CPS & Audits, in Bermuda.
   https://cert.webtrust.org/ViewSeal?id=1851
   https://www.quovadisglobal.com
   https://www.quovadisglobal.com/QVRepository.aspx
   
Removed Certificates (16 total)
     8 of these were 1024bit RSA certificates, removed as the industry is transitioning to 2048 or larger RSA Certificates.
     1 was expired.
     1 From SwissSign, 2048bit root retired in favor of 4096bit roots.
     2 from TDC Internet.DK, a Danish CA.  Denmark moved to "OCES" certificates for identifying people, so these companies no longer issue x.509 certificates.
     1 From VAS Latvijas Pasts SSI of Latvia
            Relevent discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=412747
     1 From of AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. of Columbia
     2 from KMD-CA.DK, a Danish CA that stopped issuing certificates in 2003/2004.  Below is their web site as of 2007, the last time the Internet Archive captured it.  I don't know why it took so long to remove, it appears one of the certificates was nearing expiration which triggered a review.  Possibly the CA had issued 10 year SSL Certificates and Apple waited for those to age out, thankfully newer CABForum baseline requirements limit certificates to about three years (39 months).
   



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
26CAFF09A7AFBAE96810CFFF821A94326D2845AA.pem  (!MSFT!MOZ)
C=ES, ST=Barcelona, L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ), O=ANF Autoridad de Certificacion, OU=ANF Clase 1 CA/emailAddress=info@anf.es/serialNumber=G63287510, CN=ANF Global Root CA
            Not Before: Jun 10 17:45:38 2013 GMT
            Not After : Jun  5 17:45:38 2033 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)


1B8EEA5796291AC939EAB80A811A7373C0937967.pem  (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3
            Not Before: Jan 12 17:27:44 2012 GMT
            Not After : Jan 12 17:27:44 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

093C61F38B8BDC7D55DF7538020500E125F5C836.pem   (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
            Not Before: Jan 12 18:59:32 2012 GMT
            Not After : Jan 12 18:59:32 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

4812BD923CA8C43906E7306D2796E6A4CF222E7D.pem  (+MSFT+MOZ)
C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3
            Not Before: Jan 12 20:26:32 2012 GMT
            Not After : Jan 12 20:26:32 2042 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

BA29416077983FF4F3EFF231053B2EEA6D4D45FD.pem  (+MSFT!MOZ)
C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1
            Not Before: Jan 16 17:53:32 2014 GMT
            Not After : Jan 16 17:53:32 2034 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

DF717EAA4AD94EC9558499602D48DE5FBCF03A25.pem  (+MSFT!MOZ)
C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
            Not Before: Jan 16 18:12:23 2014 GMT
            Not After : Jan 16 18:12:23 2034 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

------------------------------------------------------------------------------

KMD-CA.DK ceased operation as a Certificate Authority
4AD44D4D812E42232FE038764C7B0CEB466EEF96
C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Server/mail=infoca@kmd-ca.dk
            Not Before: Oct 16 19:19:21 1998 GMT
            Not After : Oct 12 19:19:21 2018 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

B6CA215B836C35101DAF7463900A936880767AA6
C=DK, O=KMD, OU=KMD-CA, CN=KMD-CA Kvalificeret Person
            Not Before: Nov 21 23:24:59 2000 GMT
            Not After : Nov 22 23:24:59 2015 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

21FCBD8E7F6CAF051BD1B343ECA8E76147F20F8A (!MSFT!MOZ)
C=DK, O=TDC Internet, OU=TDC Internet Root CA
            Not Before: Apr  5 16:33:17 2001 GMT
            Not After : Apr  5 17:03:17 2021 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Not Before: Apr  5 16:33:17 2001 GMT, Not After: Apr  5 17:03:17 2021 GMT

8781C25A96BDC2FB4C65064FF9390B26048A0E01 (+MSFT!MOZ)
C=DK, O=TDC, CN=TDC OCES CA
            Not Before: Feb 11 08:39:30 2003 GMT
            Not After : Feb 11 09:09:30 2037 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Not Before: Feb 11 08:39:30 2003 GMT, Not After: Feb 11 09:09:30 2037 GMT


086418E906CEE89C2353B6E27FBD9E7439F76316  (+MSFT!MOZ)
C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SSI(RCA)
            Not Before: Sep 13 09:22:10 2006 GMT
            Not After : Sep 13 09:27:57 2024 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)


CBA1C5F8B0E35EB8B94512D3F934A2E90610D336
C=CO, O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A., CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
            Not Before: Nov 27 20:46:29 2006 GMT
            Not After : Apr  2 21:42:02 2030 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)


Removed because it was replaced by
564B6F8C5638DC055BBA2BA1390F7E31954A5550  (!MSFT-MOZ)
C=CH, O=SwissSign, CN=SwissSign CA (RSA IK May 6 1999 18:00:58)/emailAddress=ca@SwissSign.com
            Not Before: Nov 26 23:27:41 2000 GMT
            Not After : Nov 26 23:27:41 2031 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Removed because they expired
5F4E1FCF31B7913B850B54F6E5FF501A2B6FC6CF
C=KR, O=KISA, OU=Korea Certification Authority Central, CN=KISA RootCA 3
            Not Before: Nov 19 06:39:51 2004 GMT
            Not After : Nov 19 06:39:51 2014 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Removed because they are 1024bit (too weak)
209900B63D955728140CD13622D8C687A4EB0085
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting, OU=Certification Services Division, CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
            Not Before: Jan  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

23E594945195F2414803B4D564D2A3A3F5D88B8C
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

627F8D7827656399D27D7F9044C9FEB3F33EFA9A
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

7E784A101C8265CC2DE1F16D47B440CAD90A1945
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
            Not Before: Jun 21 04:00:00 1999 GMT
            Not After : Jun 21 04:00:00 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

85371CA6E550143DCE2803471BDE3A09E8F8770F
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
            Not Before: May 18 00:00:00 1998 GMT
            Not After : Aug  1 23:59:59 2028 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

879F4BEE05DF98583BE360D633E70D3FFE9871AF
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado
            Not Before: Feb 25 14:10:22 1999 GMT
            Not After : Feb 20 14:10:22 2019 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

D23209AD23D314232174E40D7F9D62139786633A
C=US, O=Equifax, OU=Equifax Secure Certificate Authority
            Not Before: Aug 22 16:41:51 1998 GMT
            Not After : Aug 22 16:41:51 2018 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41
C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
            Not Before: Jun 21 04:00:00 1999 GMT
            Not After : Jun 21 04:00:00 2020 GMT
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)


Monday, April 13, 2015

Monitoring the Microsoft Certificate Trust List

Monitoring the Microsoft Certificate Trust List

Certificate Trust Lists (CTL) play a very important part in the internet trust ecosystem, known as the Internet Public Key Infrastructure.  A CTL is a collections of certificates controlled by Certificate Authorities (CAs).  There is a lot of focus on Certificate Authorities, particularly when one does something they should not.  However, the manager of the CTL is typically the browser vendor - primarily Apple, Microsoft, or Mozilla.  The browser vendor ultimately decides what CA Certs to preload into the browser/OS.  Here I'll show some analysis of the Microsoft CTL, particularly changes that have been made recently.

I'll focus on the Microsoft CTL because I think it has been a bit opaque.  Microsoft has diverse requirements for their CTL, because it supports more usage patterns than Mozilla for example.  Microsoft also has a customer base that includes governments and large organizations, which an independent organization might not be beholden to.


Microsoft information at the following site:

https://goo.gl/jBabBW

But frankly, they haven't been updating it lately.  Maybe they think their changes to the CTL are part of the Windows 10 Beta, but they are making changes on Windows Update which all clients that pull updates consume.

The Windows Certificate Trust List is Dynamic

https://goo.gl/AfdB4Z

"
The Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8 operating systems include an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis. In Windows Server 2012 R2 and Windows 8.1, additional capabilities are available to control how the CTLs are updated."

In the current default configuration, Windows operating system pulls updates to the CTL automatically from Windows Update, using the "Update Root Certificates" component.  This allows for responsiveness, in that a certificate can be revoked ("disallowed") quickly.  However, the ability to automatically update the certificate trust list can give a bad impression if not done transparently.

Microsoft could be acting more transparently.

Last September, I was working with certutil and noticed that Microsoft had updated the CTL.  The CTL is a critical component of Windows, so one would expect that some security bulletin would herald any change.  One might expect this to happen on a regular interval, with advance notice so site administrators following NIST guidelines can validate that the CA Certificate is trustworthy.  The last documented change to the Microsoft CTL was September 12, 2014, but it has been changed three times since.

1. September 12, 2014, Microsoft signed a new CTL.  I noticed it on September 22.  This included four new Certificate Authorities, and a lot of new CA certs.  The new CA Certs were mostly to assist in the SHA2 migration, below are the new Certificate Authorities.

"NEW September 29, 2014 - The September 2014 Root Certificates Update  has been updated and the member list is available as a PDF document."

New Certificate Authorities should be a point of interest, if not concern.  Some people for example might not really want to trust the Government of Saudi Arabia, for various non-technical reasons.

CA Owner: Government of Hungary NISZ Zrt 
Country: Hungary 
CA Name: Főtanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató 
Algo: RSA sha256 4096 9/13/2033 
SHA1: FFB7E08F66E1D0C2582F0245C4970292A46E8803

CA Owner: Government of Saudi Arabia, NCDC
Country: Saudi Arabia
CA Name: Saudi National Root CA
Algo: RSA sha256 2048 11/28/2029
SHA1: 8351509B7DF8CFE87BAE62AEB9B03A52F4E62C79 

CA Owner: Image-X Enterprises Inc 
Country: USA 
CA Name: ESIGNIT.ORG 
Algo: RSA sha512 4096 6/20/2030 
SHA1: 9F8DE799CF8764ED2466990564041B194919EDE8

CA Owner: JIPDEC
Country: Japan
CA Name: JCAN Root CA1
Algo: RSA sha1 2048 12/30/2029
SHA1: B954F0B5FB2E553CED3A812E279F27D4A0110329

2. January 22, 2015, Microsoft signed a new CTL.  I downloaded this February 19.  This update has still not been documented on Microsoft's website (linked above).  This update included the elimination of one CA Cert, and the addition of seven new CA Certificates, four for existing CAs.

The one new Certificate Authority is interesting.  TrustCor Systems S. de R.L. is a company registered in Panama, and the certificates list Panama as the country.  They have hosting in Curacao, which is an island nation in the Caribbean formerly part of the Dutch Antilles.  Their website is https://www.trustcorsystems.com

CA Owner: TrustCor
Country: Panama, hosting in Curacao, Canadians outside Toronto.

CA Name: TrustCor Systems S. de R.L.,
Comment: I had email discussions with an employee of TrustCor.  They are a startup, have passed a WebTrust audit but not yet issuing certificates to the general public.
Algo:  RSA sha256 4096 12/31/2034
SHA1:  3ee22adc267dde0eb0231745f6cf9d6eabd33c19

Algo: RSA sha256 2048 12/31/2029
SHA1:  9cde26d07bb68de350c835e7950ee81cde9787f5

Algo: RSA sha256 2048 12/31/2029
SHA1:  be1af285f786cddbc430382eeff2a66dfbcd5dd0




3. February 23, 2015, Microsoft signed a new CTL.  I downloaded this on March 11.  (I'm now checking daily).  This was a very interesting change, because it reduced the number of CA certificates in the trust list from 417 to 354.  Certificates were eliminated apparently for one of three reasons; expiration,  protocol retirement (1024 bit), and cessation of business.   The certificates removed for cessation were from AOL, DanID (Denmark), and Netaxis (France). 

This purge is a terrific step for Microsoft to take.  I speculate that the work is associated with the Windows 10 development, which will also include adding certificate pinning directly to the trust store.  Mozilla and Chrome do this, and Microsoft provides pinning constraints through the Enhanced Mitigation Experience Toolkit (EMET).
The three removed without obvious (expired/1024bit) reasons were:

21FCBD8E7F6CAF051BD1B343ECA8E76147F20F8A
C=DK, O=TDC Internet, OU=TDC Internet Root CA

67248980DE775D2C9B04E40307940BADB351F395
C=FR, O=NATIXIS, OU=0002 542044524, CN=CESAM

85B5FF679B0C79961FC86E4422004613DB179284
C=US, O=America Online Inc., CN=America Online Root Certification Authority 2



4. April 11, 2015.   I was on vacation, so not checking every single day, but on April 11, 2015 I noticed that Microsoft updated the certificate trust list again.  Oddly, the new file is also signed 2/23/2015 3:03PM.  Clearly though the files are different, as the SHA1SUM tells us if you download it every day. This time 15 CA Certs were removed, 7 of which are 1024bit so easily explained, 8 others were 2048/4096, and not expired, so could benefit from explanation.

CA Certificates removed in ~4/11 "stealth" update.  It used to be cool to make certificates that say "Locality = Internet".  Sorry Verisign, the Baseline Requirements now require you to submit to a Nation State!

1024bit:
C=ES, ST=BARCELONA, L=BARCELONA, O=IPS Seguridad CA, OU=Certificaciones, CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Uzleti (Class B) Tanusitvanykiado
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
L=Internet, O=VeriSign, Inc., OU=VeriSign Individual Software Publishers CA
C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Expressz (Class C) Tanusitvanykiado
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com

2048bit:
C=AT, ST=Austria, L=Vienna, O=ARGE DATEN - Austrian Society for Data Protection, OU=A-CERT Certification Service, CN=A-CERT ADVANCED/emailAddress=info@a-cert.at
C=TN, O=ANCE, OU=ANCE WEB, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Global CA Root/emailAddress=global01@ipsca.com
L=Bogota AV Calle 26 N 68D-35, C=CO, O=Entidad de Certificacion Digital Abierta Certicamara S.A., CN=CERTICAMARA S.A.
C=AT, O=A-Trust, OU=A-Trust-nQual-01, CN=A-Trust-nQual-01
C=TN, O=ANCE, OU=Certification & PKI, CN=Agence Nationale de Certification Electronique/emailAddress=ance@certification.tn
C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Main CA Root/emailAddress=main01@ipsca.com

4096bit:
C=BG, O=InfoNotary PLC, DC=root-ca, CN=InfoNotary CSP Root, OU=InfoNotary CSP Root/emailAddress=csp@infonotary.com


Conclusion and next steps

Over the next year, as SHA1 deprecation and Windows 10 release move closer, we can expect further efforts to clean up the CTL.  There are a number of certificates with questionable cryptographic parameters (exponent 3, 1024bit, expired, no country, old CPS audits, etc).  Plus, I can show how to make a verified cacert.pem with only the 307 certificats that are valid for SSL Server Authentication (i.e., excluding code signing/time stamping certs).  I think Microsoft is making good progress, but just not explaining it to the world.