Ralph Holz writes: > Yes, with the second operation offline and validating against the NSS > root store. I don't have a MS one at the moment, it would be interesting > (how do you extract that from Win? The EFF guys should know)
You might look at https://www.eff.org/files/ssl-observatory-code-r1.tar_.bz2 in the microsoft_CAs directory. You can also look at https://social.technet.microsoft.com/wiki/contents/articles/microsoft-root-certificate-program.aspx which used to provide a PDF, but apparently now links to https://social.technet.microsoft.com/wiki/contents/articles/2592.aspx instead (not updated to reflect DigiNotar's removal). One issue is that Microsoft has a protocol for MSIE to ask Microsoft interactively whether to trust a new CA. That means that the list of trusted CAs is not actually stored on an MSIE end-user's machine and can't be displayed in full inside of MSIE. Instead, when a new CA is encountered, MSIE will query Microsoft and ask whether that CA should be trusted. Personally, I find this indeterminism and delegation concerning (since there's no way for users to review CAs ahead of time, or see whether a particular CA will or won't be trusted ahead of time). On the other hand, a similar phenomenon occurs in other browsers with regard to intermediate CAs, because there's no way to get a list of intermediate CAs before they are encountered in the wild, and definitely no way to get an exhaustive list of all of the intermediate CAs that would be trusted. In fact, in some sense no one in the entire world is in possession of that list. :-( Peter Eckersley has produced a list of intermediates which you can see visualized in https://www.eff.org/files/colour_map_of_CAs.pdf but of course that list derives from a scan from a particular point in time (and not using SNI); there is no guarantee that there aren't other intermediate CAs which simply weren't encountered that way (or even intermediate CAs whose existence is kept a secret and that are only used in a limited way by particular attackers under particular circumstances). -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
