One very interesting presentation was given by a CA:
In his presentation, Rick mentioned the number ECC Roots that are currently supported by browsers. These are all signed using the old NIST curves P384 and P256 (GlobalSign R4). While it might seem that the (hopefully) new standard curves would make these irrelevant, in fact they are probably going to be used to sign new intermediates to bootstrap the trust, to avoid IP issues with the RSA roots (or the other way around).
All of the ECDSA certificate authorities are based in the United States (Entrust appears to have a Canadian parent). Symantec owns Verisign and Thawte, so there are really only 5 Certificate Authorities that offer ECDSA certificates. All of the CAs belong to the CA Security Council , which is appears to be a marketing council not very unlike the National Dairy Council.
The presentation is comprehensive (go watch it, I'll wait), but while he summarizes the certificates and roots he didn't provide a table listing them, so here is one, along with Test URLs where I could find them.
|Status||Root CA Name||SHA1 Thumbprint|
|AMND||Entrust RootCertification Authority- EC1||20D80640DF9B25F512253A11EAF7598AEB14B547|
|AMND||DigiCert Assured ID Root G3||F517A24F9A48C6C9F8A200269FDC0F482CAB3089|
|AMND||DigiCert Global RootG3||7E04DE896A3E666D00E687D33FFAD93BE83D349E|
|AMN||GlobalSign ECC RootCA - R4 *5||6969562E4080F424A1E7199F14BAF3EE58AB6ABB|
|AMN||GlobalSign ECC RootCA - R5 *5||1F24C630CDA418EF2069FFAD4FDD5F463A1B69AA|
|AMND||GeoTrust Primary Certification Authority- G2||8D1784D537F3037DEC70FE578B519A99E610D7B0|
|AM||Symantec Class 1 Public Primary Certification Authority - G4 ***||84F2E3DD83133EA91D19527F02D729BFC15FE667|
|AM||Symantec Class 2 Public Primary Certification Authority - G4 ***||6724902E4801B02296401046B4B1672CA975FD2B|
|AM||Symantec Class 3 Public Primary Certification Authority - G4||58D52DB93301A4FD291A8C9645A08FEE7F529282|
|AMND||thawte Primary RootCA - G2||AADBBC22238FC401A127BB38DDF41DDB089EF012|
|AMND||VeriSign Class 3 Public Primary Certification Authority - G4 *||22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A|
|AMND||Trend Micro **||B8236B002F1D16865301556C11A437CAEBFFC3BB|
M = Microsoft
N = Mozilla NSS
D = anDroid
Also, just since it's always handy: Symantec SHA256 Test Page
Symantec has 5 trusted roots, I don't see the G4 roots on their roots page, and can't find test urls for them. They don't appear to have submitted them to Mozilla or Android which would make the test urls public. The Verisign root is documented as not being in use.
* "VeriSign Class 3 Public Primary CA - G4 Description: While this root is not being used today for Symantec's commercial certificate offerings, it is an ECC (Eliptic Curve Cryptography) root that will be used in the future to as the root of Trust for Class1, 2 and 3 certificates ECC certificates and should be included in root stores. ?"
** AffirmTrust ECC root test page uses the wrong hostname (commercial.affirmtrust.com) rather than "premiumecc.affirmtrust.com"
*** The Symantec Class 1&2 G4 certificates don't have test URLs listed in the bugzilla submissions, suggesting they are "non-SSL" roots. This can be confirmed with certutil on Windows.
certutil -verify 6724902e4801b02296401046b4b1672ca975fd2b.crt
Verified Issuance Policies: All
Verified Application Policies:
18.104.22.168.22.214.171.124.2 Client Authentication
126.96.36.199.188.8.131.52.4 Secure Email
Cert is a CA certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
**** The Comodo & UserTrust ECC roots are not directly trusted by Android or Apple. However, Comodo has cross signed intermediates to other roots that are trusted, so these links work, but the trust is asserted using sha384withRSA.
*5 GlobalSign says "ECC Certificates (Not yet in use.)".