Hi Neil & David, Thanks Neil for kind words and I also wish you a Healthy and Happy 2017!
List of available trusted root certificates in macOS Sierra The macOS Sierra Trust Store contains trusted root certificates preinstalled with macOS. <https://support.apple.com/en-us/HT207189 <https://support.apple.com/en-us/HT207189>> List of available trusted root certificates in OS X El Capitan The OS X Trust Store contains trusted root certificates that are preinstalled with OS X. <https://support.apple.com/en-us/HT205204 <https://support.apple.com/en-us/HT205204>> ———————— Changes to Trusted Root Certificates in Mac OS Sierra and iOS 10 Apple’s Latest OS Trusts 165 Root Certificates. /Begin Quote: “Root Stores are a database of root certificates that a computer “trusts” as an issuer of SSL, Code Signing, and other X.509-standard certificates. This list of roots dictates what certificates your computer will automatically allow a connection with, or “trust.” Certificates originating from a root that is not on this list will have to be manually accepted, and are not practical for use on public websites or services. These root certificates belong to Certificate Authorities (CAs), which consists of a wide range of organizations, including well-known cybersecurity companies like Symantec and Comodo, to regional providers and government offices. The average user will only interact with certificates from a handful of these providers. But their devices, and hundreds of millions of other devices around the world still trust these certificates, which is often criticized as a security risk. Vendors either maintain their own root store, or use an existing one. These root stores often have policies for acceptance, which include yearly audits and compliance reports to show that the CAs are following industry requirements. Microsoft and Apple maintain their own root stores for their operating systems. Mozilla also operates one used by its Firefox browser and many Linux distributions. Operating Systems usually make changes to their trusted (and un-trusted) root certificates during major updates. Apple updates their trust store with every major release of Mac OS and iOS. Oftentimes this means the trusted root store is growing on each and every release. However, with Sierra and iOS 10, Apple’s trust store has actually gotten smaller. Here are some quick facts about Apple’s trust store: * Mac OS and iOS trust 165 root certificates in total. This is 23 fewer total certificates than the previous version (in El Capitan). Only two new roots have been added. * Of the 165 root certificates, 152 use RSA keys and 13 use ECDSA keys. Of the RSA keys, 102 are 2048-bit and 50 are 4096-bit. Twelve of the ECDSA keys are 384-bit and one is 256-bit. *Two root certificates expired before Sierra even released. A third is expiring this October. All all three of those CAs (AS Sertifitseerimiskeskus, E-Turga, and BuyPass) have other roots that will remain trusted for some time. *On the other end, the longest-living root is owned by Certum and won’t expire until 2046. At least it uses a 4096-bit RSA key... UPDATE: TurkishCA TURKTRUST has announced that they will be suspending their SSL business as a result of not getting their new roots added to Apple’s store. Their current root will expire in December 0f 2017, giving them only one year until their certificates will become inoperable on Apple devices. It is well known within the CA/SSL industry that Apple’s CA program is one of the most difficult programs to work with.” /End Quote <https://www.thesslstore.com/blog/macos-trusted-root-certificates/ <https://www.thesslstore.com/blog/macos-trusted-root-certificates/>> Cheers, Ronni 13-inch MacBook Air (April 2014) 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz 8GB 1600MHz LPDDR3 SDRAM 512GB PCIe-based Flash Storage macOS Sierra 10.12.2 > On 2 Jan 2017, at 3:10 pm, Neil Houghton <[email protected]> wrote: > > Aaah – thanks for the clarification David. > > Yes, sometimes one wonders if the mutterings of incantations or the casting > of runes might be beneficial ;o) > > > Cheers > > > > Neil > -- > Neil R. Houghton > Albany, Western Australia > Tel: +61 8 9841 6063 > Email: [email protected] > > > > > > on 2/1/17 14:35, David Noel at [email protected] wrote: > >> Hi Neil -- >> >> -- You may not have received the last part of my rely to Ronni explaining >> the cause of the problem. This was, in my Network preferences, under Proxy, >> somehow "Web Proxy" and "Security Proxy" had become ticked. I never accessed >> these, so it was presumably some glitch in Sierra which set them. >> >> When these items were un-ticked, the problem went away. There's still an >> element of Black Magic about the whole thing, I guess. >> >> Cheers, David, >> >> >> On 2 January 2017 at 12:13, Neil Houghton <[email protected]> wrote: >>> Hi Ronni, >>> >>> I have not been experiencing any of these problems myself – but I find it >>> all very interesting stuff. >>> >>> >>> So, if I read the article correctly, they say that it it is the browser >>> being used that allows or disallows access? >>> >>> >>> So, presumably, the reason David has no problems with his SL 10.6.8 machine >>> is down to the browsers being older and not incorporating these new >>> security standards? >>> >>> However, I note that David said his problems began when he updated from >>> 10.11 El Capitain to 10.12 Sierra – so I’m wondering if that could ALL be >>> down to the browsers being used (Safari, Chrome & Firefox) – presumably >>> they were not ALL simultaneously updated at the time of the OS update? So >>> is it possible that some other aspect of the way Sierra operates that now >>> gives the problem where there was no problem in El Capitain? >>> >>> I also noticed that David originally reported the problem in December – but >>> fixed it by following your advice regarding updating certificates. When the >>> problem resurfaced, it was reported by David on 1 January 2017 – which does >>> tie in with the proposed start of the rejections as reported in the article. >>> >>> >>> I will continue to watch David’s progress with interest. >>> >>> >>> Ronni, thanks for all the wonderful advice that you so generously provide >>> to WAMUG. >>> >>> >>> Wishing you, and all WAMUG members, a healthy and happy 2017. >>> >>> >>> >>> >>> Cheers >>> >>> >>> >>> Neil > > > --
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
