Tuesday, June 23, 2015

June 23, 2015 Microsoft Certificate Trust List Update (Unofficial)

Microsoft June 23, 2015 Certificate Trust List Update 

Updated June 27 to reformat New Certificates section

I was reading Mozilla's Bugzilla, in which a gentleman from Keynectis/Opentrust stated:
We have been included in Microsoft root store. This has been confirmed by Jody. 5 new root CAs will be available in Microsoft June release, planned on the 23rd.

If you read my previous post on the Microsoft Certificate Trust List you'd know that it's hard to anticipate Microsoft certificate trust list changes.

To Download a mirror of the Microsoft Certificate Trust List:


md .\wu
certutil.exe -syncwithwu .\wu

I checked this afternoon, yes, the CTL was updated.  Some quick analysis of this change, which added 17 Root Certificates and removed 1.
Update: 


Several of the new certificates are not trusted for Server Authentication.
There are a few new Certificate Authorities, of which I don't have much information.

I wrote a script to build a MSCACERT.PEM file using the MS Certificate Trust List with just certificates trusted for server authentication, available here:

https://github.com/plaintextcity/MSCTL/blob/master/mscacert.cmd


Microsoft Used to document these changes, for example linked below.  Maybe they will start announcing trust changes again soon.

http://social.technet.microsoft.com/wiki/contents/articles/1658.windows-root-certificate-program-members.aspx

The last update is a PDF released in September 2014, which welcomed Saudi Arabia's CA. sha1sum "Windows Root Certificate Program Members - Sept 2014.pdf" 

Windows Root Certificate Program Members - Sept 2014.pdf
3a488ca0a3e2e03c452ea559f8fd3882ccc6be74

For an earlier update on Microsoft's trust list changes this year see:
http://www.plaintextcity.com/2015/04/monitoring-microsoft-certificate-trust.html


Update, three of these are ECC 384 bit Roots.

5 2048 bit / sha256WithRSAEncryption
6 4096 bit / sha256WithRSAEncryption
1 4096 bit / sha384WithRSAEncryption
2 4096 bit / sha512WithRSAEncryption
3 384 bit / ecdsa-with-SHA384

The ECC Roots with with links to their test website:
C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
C=FR, O=Certplus, CN=Certplus Root CA G2
C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root

Note (6/28) the WoSign new certificates are included in the Mozilla renewal request

New Certificate Authorities

Notarius Inc of Canada - http://www.notarius.com
     Trusted for Client Authentication, Secure Email, and Document Signing.
     "Notarius is a non-profit organization founded on 19 June 1996 by the Chambre des notaires du Québec (CNQ). Certified ISO 27001:2005, ISO 9001:2008 and recognized by the Conseil du trésor du Québec, Notarius issues digital signatures to Canadian professionals and their business partners."


GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. OF China
    http://www.gdca.com.cn/
    WebTust Seal: https://cert.webtrust.org/SealFile?seal=1859&file=pdf



Deutscher Sparkassen Verlag GmbH of Germany (6/28: not new)



Swedish Social Insurance Agency of Sweden
  Trusted for all.
  http://www.forsakringskassan.se
  "Försäkringskassan’s role is to administer social insurance and to ensure that you get the benefits and allowances you are entitled to."



MULTICERT - Servi\xC3\xA7os de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica S.A. of Portugal
   Trusted for all.
   https://www.multicert.com
   "MULTICERT has started its business activity in 2002 with a group of 16 employees. Over the years, we have consolidated ourselves as project developers and as a digital security solutions company, bringing our expertise and technical knowledge into the electronic certification field. Our expertise has been acquired in several projects in which we participated, both in the banking and government sectors."
   Submitted to Mozilla


National Digital Certification Agency of Tunisia (6/28: Not new)
   https://www.certification.tn/en
   Home page is anchored to old revoked root.
   https://www.certification.tn/fr/content/certificats-racine




New Root Certificates (17)


SHA1 ThumbprintCurrent CA OwnerCountryRoot CA NameAlgorithmExpirationTrusted For
1f3f1486b531882802e87b624d420295a0fc721aNotarius IncCanadaNotarius Root Certificate AuthorityRSA409612-2034Client
0f36385b811a25c39b314e83cae9346670cc74b4GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.ChinaGDCA TrustAUTH R5 ROOTRSA409612-2040Server Client Code Time
fbeddc9065b7272037bc550c9c56debbf27894e1WoSign CA LimitedChinaCertification Authority of WoSign G2RSA204811-2044Server Client Code Time
d27ad2beed94c0a13cc72521ea5d71be8119f32bWoSign CA LimitedChinaCA WoSign ECC RootECDSA38411-2044Server Client Code Time
22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766OpenTrustFranceCertplus Root CA G1RSA40961-2038Server Client Code
4f658e1fe906d82802e9544741c954255d69cc1aOpenTrustFranceCertplus Root CA G2ECDSA3841-2038Server Client Code
7991e834f7e2eedd08950152e9552d14e958d57eOpenTrustFranceOpenTrust Root CA G1RSA40961-2038Server Client Code
795f8860c5ab7c3d92e6cbf48de145cd11ef600bOpenTrustFranceOpenTrust Root CA G2RSA40961-2038Server Client Code
6e2664f356bf3455bfd1933f7c01ded813da8aa6OpenTrustFranceOpenTrust Root CA G3ECDSA3841-2038Server Client Code
1b3d1114ea7a0f9558544195bf6b2582ab40ce9aDeutscher Sparkassen Verlag GmbHGermanyS-TRUST Universal Root CARSA204810-2038Server Client Time
3bc6dce00307bd676041ebd85970c62f8fda5109India PKIIndiaCCA India 2015 SPLRSA20481-2025Client Time
a2b86b5a68d92819d9ce5dd6d7969a4968e11991India PKIIndiaCCA India 2014RSA20483-2024Client Time
46af7a31b599460d469d6041145b13651df9170aMULTICERTPortugalMULTICERT Root Certification Authority 01RSA40964-2039Server Client Code Time
32f442093b36d7031b75ca4daddcb327faa02b9cSwedish Social Insurance AgencySwedenSwedish Government Root Authority v2RSA40965-2040Server Client Code Time
9638633c9056ae8814a065d23bdc60a0ee702fa7Tunisian National Digital Certification AgencyTunisiaTunisian Root Certificate Authority - TunRootCA2RSA40965-2027Server Client Code Time
2c8affce966430ba04c04f81dd4b49c71b5b81a0Cisco SystemsUSACisco RXC-R2RSA20487-2034Server Client
8094640eb5a7a1ca119c1fddd59f810263a7fbd1GlobalSignUSAGlobalSign Root CA - R6RSA409612-2034Code Time

Notes: (1)
"GlobalSign is a WebTrust-certified certificate authority and provider of Identity Services. Founded in 1996. and presently a subsidiary of GMO CLOUD K.K. in Japan, the company offers a diverse range of Identity service solutions."
9.1.4 Issuer Country Name Field
Certificate Field: issuer:countryName (OID 2.5.4.6)
Required/Optional: Required
Contents: This field MUST contain the two-letter ISO 3166-1 country code for the country in which the issuer’s place of business is located.


Removed/Retired Root Certificates

This is the 1024bit Equifax root.
SHA1 Fingerprint=DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
subject= /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1

No comments:

Post a Comment