Firewall Wizards mailing list archives
Re: Expiring root CA in web browsers --Y2K
From: Dan Geer <geer () world std com>
Date: Fri, 26 Nov 1999 12:20:16 -0500
While pinned down by Cardasians, don Wang <donwang () uac com wrote: > Folks, > > I am not sure if this is the right place to post this message. Since you > guys are security experts in general, maybe you can shed some insight? > or maybe suggest a better group to post? Thanks and happy holidays! > > Don and the rest of his message eventually came to me. I am not on this list ordinarily, but I'm told you all might possibly profit from this year old analysis of expiring root certificates in popular browsers. If one of you is energized to do the updated version, I'd be obliged for a copy. Best viewed in emacs. Regards, --dan ------- Forwarded Message Date: Fri, 20 Nov 1998 19:00:31 -0500 (EST) From: myself To: coworkers Subject: lifetime of certs now in circulation ******************************************** *** view this note in a fixed width font *** ******************************************** Colleagues, I got curious about what certificates are in circulation before the general public so I looked at what server certificates are out there in the browsers as we speak. Note that the rate at which the general public updates its browsers is not reliable and is constrained by bloat for those who have anything but the most recent machinery. First the raw data then a comparison. For each of Netscape v4.5 and Explorer v4.0, the certificates, ordered by expiration date are as follows: =========================================================== Netscape v4.5 ----------------------------------------------------------- Wed Jul 15, 1998 BelSign Secure Server CA #00 Thu Jul 16, 1998 BelSign Class 1 CA Thu Jul 16, 1998 BelSign Class 2 CA Thu Jul 16, 1998 BelSign Class 3 CA Thu Jul 16, 1998 MCI Mall CA Sat Sep 19, 1998 BelSign Object Publishing CA #00 Thu May 06, 1999 KEYWITNESS, Canada CA Wed Nov 03, 1999 VeriSign/RSA Commercial CA Sat Dec 25, 1999 BBN Certificate Services CA Root 1 Thu Dec 30, 1999 AT&T Certificate Services Thu Dec 30, 1999 GTE CyberTrust Secure Server CA Fri Dec 31, 1999 CertiSign BR Fri Dec 31, 1999 GTE CyberTrust Root CA #00 Fri Dec 31, 1999 VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999 VeriSign Class 2 Primary CA #..01 Fri Dec 31, 1999 VeriSign Class 3 Primary CA #..01 Fri Dec 31, 1999 VeriSign Class 4 Primary CA Fri Dec 31, 1999 VeriSign/RSA Secure Server CA #..01 Tue Jan 16, 2001 AT&T Directory Services Sun Apr 21, 2002 Uptime Group Plc. Class 1 CA Sun Apr 21, 2002 Uptime Group Plc. Class 2 CA Sun Apr 21, 2002 Uptime Group Plc. Class 3 CA Sun Apr 21, 2002 Uptime Group Plc. Class 4 CA Thu Feb 14, 2002 GTIS/PWGSC, Canada Gov. Web CA Mon Aug 04, 2003 GTE CyberTrust Japan Root CA Mon Aug 04, 2003 GTE CyberTrust Japan Secure Server CA Wed Sep 17, 2003 GlobalSign Class 1 CA Wed Jan 07, 2004 VeriSign Class 2 Primary CA #..0D Wed Jan 07, 2004 VeriSign Class 3 Primary CA #..32 Sat Dec 31, 2005 TC TrustCenter, Germany, Class 0 CA Sat Dec 31, 2005 TC TrustCenter, Germany, Class 1 CA Sat Dec 31, 2005 TC TrustCenter, Germany, Class 2 CA Sat Dec 31, 2005 TC TrustCenter, Germany, Class 3 CA Mon Aug 14, 2006 American Express CA Thu Feb 23, 2006 GTE CyberTrust Root CA #01 Mon Jul 16, 2007 BelSign Secure Server CA #01 Wed Sep 19, 2007 BelSign Object Publishing CA #01 Mon Aug 11, 2008 GTE CyberTrust Root 2 Sun Aug 10, 2008 GTE CyberTrust Root 3 Thu Jan 07, 2010 VeriSign/RSA Secure Server CA #..C0 Tue Aug 13, 2013 GTE CyberTrust Root 4 Tue Sep 17, 2013 GlobalSign Partners CA Wed Aug 14, 2013 American Express Global CA Wed Aug 14, 2013 GTE CyberTrust Root 5 Fri May 27, 2016 Canada Post Corporation CA Sat May 20, 2017 IBM World Registry CA Sat May 20, 2017 Integrion CA Tue Apr 25, 2017 GTIS/PWGSC, Canada Gov. Secure CA Fri Aug 24, 2018 Equifax Premium CA Mon Aug 13, 2018 GTE CyberTrust Global Root Wed Aug 22, 2018 Equifax Secure CA Thu Dec 31, 2020 TC TrustCenter, Germany, Class 4 CA Thu Dec 31, 2020 Thawte Personal Basic CA Thu Dec 31, 2020 Thawte Personal Freemail CA Thu Dec 31, 2020 Thawte Personal Premium CA Thu Dec 31, 2020 Thawte Personal Server CA Thu Dec 31, 2020 Thawte Server CA Tue Jan 07, 2020 VeriSign Class 1 Primary CA #..25 =========================================================== Explorer v4.0 (or 4.72.2106.8 if you prefer) ----------------------------------------------------------- Thu Jul 16, 1998 MCI Mall CA Thu May 06, 1999 KEYWITNESS, Canada CA Wed Nov 03, 1999 VeriSign/RSA Commercial CA Thu Dec 30, 1999 AT&T Certificate Services Thu Dec 30, 1999 Microsoft Timestamp Root Fri Dec 31, 1999 GTE CyberTrust Root CA #00 Fri Dec 31, 1999 VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999 VeriSign Class 4 Primary CA Fri Dec 31, 1999 Verisign Commercial Software Publishers CA Fri Dec 31, 1999 Verisign Individual Software Publishers CA Fri Dec 31, 1999 Microsoft Authenticode(tm) Root Tue Jan 16, 2001 AT&T Directory Services Wed Jan 07, 2004 VeriSign Class 2 Primary CA #..0D Wed Jan 07, 2004 VeriSign Class 3 Primary CA #..32 Wed Jan 07, 2004 Verisign Commercial Software Publishers CA Wed Jan 07, 2004 Verisign Individual Software Publishers CA Wed Jan 07, 2004 Verisign Time Stamping Service Root Fri Jan 01, 2010 Microsoft Root SGC Authority Tue Jan 07, 2020 VeriSign Class 1 Primary CA #..25 Thu Dec 31, 2020 Thawte Personal Basic CA Thu Dec 31, 2020 Thawte Personal Freemail CA Thu Dec 31, 2020 Thawte Personal Premium CA Thu Dec 31, 2020 Thawte Personal Server CA Thu Dec 31, 2020 Thawte Server CA Thu Dec 31, 2020 Microsoft Root Authority /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Next, this is a comparison of the two against each other expiration M N issuer ---------------- -- -- ---------------------------------- Wed Jul 15, 1998 x BelSign Secure Server CA #00 Thu Jul 16, 1998 x BelSign Class 1 CA Thu Jul 16, 1998 x BelSign Class 2 CA Thu Jul 16, 1998 x BelSign Class 3 CA Thu Jul 16, 1998 x x MCI Mall CA Mon Jul 27, 1998 x Thawte Premium Server CA Mon Jul 27, 1998 x Thawte Server CA Sat Sep 19, 1998 x BelSign Object Publishing CA #00 Thu May 06, 1999 x x KEYWITNESS, Canada CA Wed Nov 03, 1999 x x VeriSign/RSA Commercial CA Sat Dec 25, 1999 x BBN Certificate Services CA Root 1 Thu Dec 30, 1999 x x AT&T Certificate Services Thu Dec 30, 1999 x GTE CyberTrust Secure Server CA Thu Dec 30, 1999 x Microsoft Timestamp Root Fri Dec 31, 1999 x CertiSign BR Fri Dec 31, 1999 x x GTE CyberTrust Root CA #00 Fri Dec 31, 1999 x Microsoft Authenticode(tm) Root Fri Dec 31, 1999 x x VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 2 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 3 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 4 Primary CA Fri Dec 31, 1999 x Verisign Commercial Software Publishers CA Fri Dec 31, 1999 x Verisign Individual Software Publishers CA Fri Dec 31, 1999 x VeriSign/RSA Secure Server CA #..01 Tue Jan 16, 2001 x x AT&T Directory Services Thu Feb 14, 2002 x GTIS/PWGSC, Canada Gov. Web CA Sun Apr 21, 2002 x Uptime Group Plc. Class 1 CA Sun Apr 21, 2002 x Uptime Group Plc. Class 2 CA Sun Apr 21, 2002 x Uptime Group Plc. Class 3 CA Sun Apr 21, 2002 x Uptime Group Plc. Class 4 CA Mon Aug 04, 2003 x GTE CyberTrust Japan Root CA Mon Aug 04, 2003 x GTE CyberTrust Japan Secure Server CA Wed Sep 17, 2003 x GlobalSign Class 1 CA Wed Jan 07, 2004 x VeriSign Class 1 Primary CA #..25 Wed Jan 07, 2004 x x VeriSign Class 2 Primary CA #..0D Wed Jan 07, 2004 x x VeriSign Class 3 Primary CA #..32 Wed Jan 07, 2004 x Verisign Commercial Software Publishers CA Wed Jan 07, 2004 x Verisign Individual Software Publishers CA Wed Jan 07, 2004 x Verisign Time Stamping Service Root Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 0 CA Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 1 CA Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 2 CA Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 3 CA Mon Aug 14, 2006 x American Express CA Thu Feb 23, 2006 x GTE CyberTrust Root CA #01 Mon Jul 16, 2007 x BelSign Secure Server CA #01 Wed Sep 19, 2007 x BelSign Object Publishing CA #01 Sun Aug 10, 2008 x GTE CyberTrust Root 3 Mon Aug 11, 2008 x GTE CyberTrust Root 2 Fri Jan 01, 2010 x Microsoft Root SGC Authority Thu Jan 07, 2010 x VeriSign/RSA Secure Server CA #..C0 Tue Aug 13, 2013 x GTE CyberTrust Root 4 Wed Aug 14, 2013 x American Express Global CA Wed Aug 14, 2013 x GTE CyberTrust Root 5 Tue Sep 17, 2013 x GlobalSign Partners CA Fri May 27, 2016 x Canada Post Corporation CA Tue Apr 25, 2017 x GTIS/PWGSC, Canada Gov. Secure CA Sat May 20, 2017 x IBM World Registry CA Sat May 20, 2017 x Integrion CA Mon Aug 13, 2018 x GTE CyberTrust Global Root Wed Aug 22, 2018 x Equifax Secure CA Fri Aug 24, 2018 x Equifax Premium CA Tue Jan 07, 2020 x x VeriSign Class 1 Primary CA #..25 Thu Dec 31, 2020 x Microsoft Root Authority Thu Dec 31, 2020 x TC TrustCenter, Germany, Class 4 CA Thu Dec 31, 2020 x x Thawte Personal Basic CA Thu Dec 31, 2020 x x Thawte Personal Freemail CA Thu Dec 31, 2020 x x Thawte Personal Premium CA Thu Dec 31, 2020 x x Thawte Premium Server CA Thu Dec 31, 2020 x x Thawte Server CA giving a scorecard n(Netscape-only)=40 n(Explorer-only)=12 n(both) =18 +-------------------- n(Netscape) =52 n(Explorer) =30 n(total-certs) =70 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Of course, it is particularly amusing to see which ones expire on or about Y2K day, namely expiration M N issuer ---------------- -- -- ---------------------------------- Fri Dec 31, 1999 x CertiSign BR Fri Dec 31, 1999 x x GTE CyberTrust Root CA #00 Fri Dec 31, 1999 x Microsoft Authenticode(tm) Root Fri Dec 31, 1999 x x VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 2 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 3 Primary CA #..01 Fri Dec 31, 1999 x x VeriSign Class 4 Primary CA Fri Dec 31, 1999 x Verisign Commercial Software Publishers CA Fri Dec 31, 1999 x Verisign Individual Software Publishers CA Fri Dec 31, 1999 x VeriSign/RSA Secure Server CA #..01 ---------------- -- -- ---------------------------------- M=8 N=7 26% = --- --- = 13% M=30 N=52 10 or, overall, -- = 14% of today's certs yield a Y2K event 70 Of these, the one that is sure to cause the most confusion is the "Microsoft Authenticode(tm) Root" as it will cause events for other unrelated programs. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ I'm also pretty astonished that so many firms, viz. American Express, BelSign, Canada Post Corporation, Equifax, GTE CyberTrust, GTIS/PWGSC, GlobalSign Partners, IBM, Integrion, Microsoft, TC TrustCenter, Thawte, and VeriSign would issue certs that are valid beyond five years out. That is a pretty strong bet on there being no dangerous progress in number theory, computing horsepower, parallel processing, etc. The ones that are in the 2020 foresight group, VeriSign, Microsoft, TC TrustCenter, and Thawte really ought to have their heads examined or I'm too dense to get the joke. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ None of this means terribly much but it does show the state of the world and, like chewing gum, it might absorb your idle cycles for a bit. --dan ------- End of Forwarded Message
Current thread:
- Expiring root CA in web browsers --Y2K don Wang (Nov 24)
- Re: Expiring root CA in web browsers --Y2K neil lehrer (Nov 29)
- <Possible follow-ups>
- Re: Expiring root CA in web browsers --Y2K Dan Geer (Nov 29)