The whole SSL certificate verification process depends upon finding a trusted root certificate that signed the next certificate up the chain, and so on. But who chooses those trusted roots?
The answer is the author of the application that accepts an SSL certificate, or maybe the operating system the application is running on, or the SSL library used to build the application. The bad news is that root certificates come and go, old roots stop being accepted for various reasons, and new roots are introduced for new security standards or new businesses. Historically most roots were RSA Sha1 digest signed and most still are, despite Sha1 being banned for new certificates. Increasingly Sha256 and ECC root certificates are being introduced and required by new intermediate certificates. So SSL trusted root certificate bundles and always changing, annually perhaps for major changes, although Microsoft officially Windows roots every two months. So there is a maintenance issue with root bundles, choosing what to include and keeping them updated. Another developer got frustrated with updating roots, and created a Git repository: https://github.com/nabla-c0d3/trust_stores_observatory which contains a few hundred root certificates and lists of which trust store contain which roots, currently listing Apple iOS and macOS (173), Google (135), Microsoft Windows (294) and Mozilla (133). For the last few years, I have been manually updating three trust stores for ICS: 1 - TrustedCABundle.pem is a small root certificate bundle, currently 52 roots, included in the Samples/Delphi/SslInternet/ directory. Applications needing to check root certificates can copy this file. 2 - A smaller list of 34 hard coded roots in OverbyteIcsSslX509Utils.pas that allows major roots to be checked without needing to include an extra external file in applications. 3 - RootCaCertsBundle.pem which I distribute with my own applications, and is a much larger root certificate bundle, about 280 roots including many country specific roots, created using the PemTool by extracting Windows root certificates. I've added this to the ICS V8.53 for those that need more roots. I'm now looking at a better way of maintaining the ICS root stores, probably by using Trust Stores Observatory data, although it's difficult to choose which root store to use, all contain more than our smallest store. There have been changes to all three of these root store this year, adding new root certificates. ICS V8.52 added DigiCert Global Root G2 and G3 root certificates. DigiCert now owns Symantec, Thawte, RapidSSL, Geotrust and existing certificates are being re-issued signed by DigiCert roots, so older root stores will stop trusted them. ICS V8.53 last week added GlobalSign Root CA - R2 and GlobalSign ECC Root CA - R5 root certificates, the R2 root is old but was missing from our smaller stores and is now used by Google. So updating your root stores is important, if you don't want your applications to stop trusting lots of common web sites. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
