My friend and former colleague Ryan provided some helpful comments on the previous post regarding MD5-collision attack against incompetent CAs. (Ryan has also written an informative post about the attack on his blog.) Based on his pointers, here are some corrections and observations:
- The sparse appearance of the Vista trusted root store (compared to the 100+ roots in Windows XP) is largely an illusion. Both operating systems have a capability to update list of supported roots on demand from Windows Update. In XP most of the roots are pre-installed while Vista depends on this dynamic fetch process– which can be done in real-time when validating a new certificate to a greater extent.
- If a certificate authority does not show up in the root store does not mean that it is not trusted. There is always the possibility that consulting Windows update when attempting to build a certificate chain will lead to one or more new roots getting installed.
- A nasty surprise follows as corollary: removing a root from the trusted-roots node has no effect. It has to be explicitly placed in the untrusted roots store or the silent update from WU has to be disabled– the latter not being an advisable solution. Here is an extensive article about theproblem of dynamic installation of root certificates.
- There does not appear to be an official way to download a list of all trusted roots valid at a given point in time, although a knowledge base article from January ’08 documents the organizations who are members of the root certificate program. (Each company may have multiple roots and may introduce new ones over time via distribution from WU, there is no 1:1 correspondance. There is also no documentation of the fingerprints or other unique identifiers for the outstanding roots.)
- Microsoft requires the WebTrust for CAs certification standard for all CAs in the root program. WebTrust also has a series of requirements for extended validation certificates, which include the use of a stronger hash function such as SHA1 for issuance. (Not that it matters: websites using EV certificate are still vulnerable, as long as the code assign them identical trust as plain vanilla certificates. The green address bar and other window-dressing is intended for users’ eyes only; under the hood the code responsible for deciding to disclose data does not care about the distinciton.)