Firewall Wizards mailing list archives
Re: Expiring root CA in web browsers --Y2K
From: Dan Geer <geer () world std com>
Date: Fri, 26 Nov 1999 12:20:16 -0500
While pinned down by Cardasians, don Wang <donwang () uac com wrote:
> Folks,
>
> I am not sure if this is the right place to post this message. Since you
> guys are security experts in general, maybe you can shed some insight?
> or maybe suggest a better group to post? Thanks and happy holidays!
>
> Don
and the rest of his message eventually came to me. I am not on
this list ordinarily, but I'm told you all might possibly profit
from this year old analysis of expiring root certificates in
popular browsers. If one of you is energized to do the updated
version, I'd be obliged for a copy.
Best viewed in emacs.
Regards,
--dan
------- Forwarded Message
Date: Fri, 20 Nov 1998 19:00:31 -0500 (EST)
From: myself
To: coworkers
Subject: lifetime of certs now in circulation
********************************************
*** view this note in a fixed width font ***
********************************************
Colleagues,
I got curious about what certificates are in
circulation before the general public so I looked
at what server certificates are out there in the
browsers as we speak. Note that the rate at which
the general public updates its browsers is not
reliable and is constrained by bloat for those
who have anything but the most recent machinery.
First the raw data then a comparison.
For each of Netscape v4.5 and Explorer v4.0, the
certificates, ordered by expiration date are as
follows:
===========================================================
Netscape v4.5
-----------------------------------------------------------
Wed Jul 15, 1998 BelSign Secure Server CA #00
Thu Jul 16, 1998 BelSign Class 1 CA
Thu Jul 16, 1998 BelSign Class 2 CA
Thu Jul 16, 1998 BelSign Class 3 CA
Thu Jul 16, 1998 MCI Mall CA
Sat Sep 19, 1998 BelSign Object Publishing CA #00
Thu May 06, 1999 KEYWITNESS, Canada CA
Wed Nov 03, 1999 VeriSign/RSA Commercial CA
Sat Dec 25, 1999 BBN Certificate Services CA Root 1
Thu Dec 30, 1999 AT&T Certificate Services
Thu Dec 30, 1999 GTE CyberTrust Secure Server CA
Fri Dec 31, 1999 CertiSign BR
Fri Dec 31, 1999 GTE CyberTrust Root CA #00
Fri Dec 31, 1999 VeriSign Class 1 Primary CA #..01
Fri Dec 31, 1999 VeriSign Class 2 Primary CA #..01
Fri Dec 31, 1999 VeriSign Class 3 Primary CA #..01
Fri Dec 31, 1999 VeriSign Class 4 Primary CA
Fri Dec 31, 1999 VeriSign/RSA Secure Server CA #..01
Tue Jan 16, 2001 AT&T Directory Services
Sun Apr 21, 2002 Uptime Group Plc. Class 1 CA
Sun Apr 21, 2002 Uptime Group Plc. Class 2 CA
Sun Apr 21, 2002 Uptime Group Plc. Class 3 CA
Sun Apr 21, 2002 Uptime Group Plc. Class 4 CA
Thu Feb 14, 2002 GTIS/PWGSC, Canada Gov. Web CA
Mon Aug 04, 2003 GTE CyberTrust Japan Root CA
Mon Aug 04, 2003 GTE CyberTrust Japan Secure Server CA
Wed Sep 17, 2003 GlobalSign Class 1 CA
Wed Jan 07, 2004 VeriSign Class 2 Primary CA #..0D
Wed Jan 07, 2004 VeriSign Class 3 Primary CA #..32
Sat Dec 31, 2005 TC TrustCenter, Germany, Class 0 CA
Sat Dec 31, 2005 TC TrustCenter, Germany, Class 1 CA
Sat Dec 31, 2005 TC TrustCenter, Germany, Class 2 CA
Sat Dec 31, 2005 TC TrustCenter, Germany, Class 3 CA
Mon Aug 14, 2006 American Express CA
Thu Feb 23, 2006 GTE CyberTrust Root CA #01
Mon Jul 16, 2007 BelSign Secure Server CA #01
Wed Sep 19, 2007 BelSign Object Publishing CA #01
Mon Aug 11, 2008 GTE CyberTrust Root 2
Sun Aug 10, 2008 GTE CyberTrust Root 3
Thu Jan 07, 2010 VeriSign/RSA Secure Server CA #..C0
Tue Aug 13, 2013 GTE CyberTrust Root 4
Tue Sep 17, 2013 GlobalSign Partners CA
Wed Aug 14, 2013 American Express Global CA
Wed Aug 14, 2013 GTE CyberTrust Root 5
Fri May 27, 2016 Canada Post Corporation CA
Sat May 20, 2017 IBM World Registry CA
Sat May 20, 2017 Integrion CA
Tue Apr 25, 2017 GTIS/PWGSC, Canada Gov. Secure CA
Fri Aug 24, 2018 Equifax Premium CA
Mon Aug 13, 2018 GTE CyberTrust Global Root
Wed Aug 22, 2018 Equifax Secure CA
Thu Dec 31, 2020 TC TrustCenter, Germany, Class 4 CA
Thu Dec 31, 2020 Thawte Personal Basic CA
Thu Dec 31, 2020 Thawte Personal Freemail CA
Thu Dec 31, 2020 Thawte Personal Premium CA
Thu Dec 31, 2020 Thawte Personal Server CA
Thu Dec 31, 2020 Thawte Server CA
Tue Jan 07, 2020 VeriSign Class 1 Primary CA #..25
===========================================================
Explorer v4.0 (or 4.72.2106.8 if you prefer)
-----------------------------------------------------------
Thu Jul 16, 1998 MCI Mall CA
Thu May 06, 1999 KEYWITNESS, Canada CA
Wed Nov 03, 1999 VeriSign/RSA Commercial CA
Thu Dec 30, 1999 AT&T Certificate Services
Thu Dec 30, 1999 Microsoft Timestamp Root
Fri Dec 31, 1999 GTE CyberTrust Root CA #00
Fri Dec 31, 1999 VeriSign Class 1 Primary CA #..01
Fri Dec 31, 1999 VeriSign Class 4 Primary CA
Fri Dec 31, 1999 Verisign Commercial Software Publishers CA
Fri Dec 31, 1999 Verisign Individual Software Publishers CA
Fri Dec 31, 1999 Microsoft Authenticode(tm) Root
Tue Jan 16, 2001 AT&T Directory Services
Wed Jan 07, 2004 VeriSign Class 2 Primary CA #..0D
Wed Jan 07, 2004 VeriSign Class 3 Primary CA #..32
Wed Jan 07, 2004 Verisign Commercial Software Publishers CA
Wed Jan 07, 2004 Verisign Individual Software Publishers CA
Wed Jan 07, 2004 Verisign Time Stamping Service Root
Fri Jan 01, 2010 Microsoft Root SGC Authority
Tue Jan 07, 2020 VeriSign Class 1 Primary CA #..25
Thu Dec 31, 2020 Thawte Personal Basic CA
Thu Dec 31, 2020 Thawte Personal Freemail CA
Thu Dec 31, 2020 Thawte Personal Premium CA
Thu Dec 31, 2020 Thawte Personal Server CA
Thu Dec 31, 2020 Thawte Server CA
Thu Dec 31, 2020 Microsoft Root Authority
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Next, this is a comparison of the two against each other
expiration M N issuer
---------------- -- -- ----------------------------------
Wed Jul 15, 1998 x BelSign Secure Server CA #00
Thu Jul 16, 1998 x BelSign Class 1 CA
Thu Jul 16, 1998 x BelSign Class 2 CA
Thu Jul 16, 1998 x BelSign Class 3 CA
Thu Jul 16, 1998 x x MCI Mall CA
Mon Jul 27, 1998 x Thawte Premium Server CA
Mon Jul 27, 1998 x Thawte Server CA
Sat Sep 19, 1998 x BelSign Object Publishing CA #00
Thu May 06, 1999 x x KEYWITNESS, Canada CA
Wed Nov 03, 1999 x x VeriSign/RSA Commercial CA
Sat Dec 25, 1999 x BBN Certificate Services CA Root 1
Thu Dec 30, 1999 x x AT&T Certificate Services
Thu Dec 30, 1999 x GTE CyberTrust Secure Server CA
Thu Dec 30, 1999 x Microsoft Timestamp Root
Fri Dec 31, 1999 x CertiSign BR
Fri Dec 31, 1999 x x GTE CyberTrust Root CA #00
Fri Dec 31, 1999 x Microsoft Authenticode(tm) Root
Fri Dec 31, 1999 x x VeriSign Class 1 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 2 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 3 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 4 Primary CA
Fri Dec 31, 1999 x Verisign Commercial Software Publishers CA
Fri Dec 31, 1999 x Verisign Individual Software Publishers CA
Fri Dec 31, 1999 x VeriSign/RSA Secure Server CA #..01
Tue Jan 16, 2001 x x AT&T Directory Services
Thu Feb 14, 2002 x GTIS/PWGSC, Canada Gov. Web CA
Sun Apr 21, 2002 x Uptime Group Plc. Class 1 CA
Sun Apr 21, 2002 x Uptime Group Plc. Class 2 CA
Sun Apr 21, 2002 x Uptime Group Plc. Class 3 CA
Sun Apr 21, 2002 x Uptime Group Plc. Class 4 CA
Mon Aug 04, 2003 x GTE CyberTrust Japan Root CA
Mon Aug 04, 2003 x GTE CyberTrust Japan Secure Server CA
Wed Sep 17, 2003 x GlobalSign Class 1 CA
Wed Jan 07, 2004 x VeriSign Class 1 Primary CA #..25
Wed Jan 07, 2004 x x VeriSign Class 2 Primary CA #..0D
Wed Jan 07, 2004 x x VeriSign Class 3 Primary CA #..32
Wed Jan 07, 2004 x Verisign Commercial Software Publishers CA
Wed Jan 07, 2004 x Verisign Individual Software Publishers CA
Wed Jan 07, 2004 x Verisign Time Stamping Service Root
Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 0 CA
Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 1 CA
Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 2 CA
Sat Dec 31, 2005 x TC TrustCenter, Germany, Class 3 CA
Mon Aug 14, 2006 x American Express CA
Thu Feb 23, 2006 x GTE CyberTrust Root CA #01
Mon Jul 16, 2007 x BelSign Secure Server CA #01
Wed Sep 19, 2007 x BelSign Object Publishing CA #01
Sun Aug 10, 2008 x GTE CyberTrust Root 3
Mon Aug 11, 2008 x GTE CyberTrust Root 2
Fri Jan 01, 2010 x Microsoft Root SGC Authority
Thu Jan 07, 2010 x VeriSign/RSA Secure Server CA #..C0
Tue Aug 13, 2013 x GTE CyberTrust Root 4
Wed Aug 14, 2013 x American Express Global CA
Wed Aug 14, 2013 x GTE CyberTrust Root 5
Tue Sep 17, 2013 x GlobalSign Partners CA
Fri May 27, 2016 x Canada Post Corporation CA
Tue Apr 25, 2017 x GTIS/PWGSC, Canada Gov. Secure CA
Sat May 20, 2017 x IBM World Registry CA
Sat May 20, 2017 x Integrion CA
Mon Aug 13, 2018 x GTE CyberTrust Global Root
Wed Aug 22, 2018 x Equifax Secure CA
Fri Aug 24, 2018 x Equifax Premium CA
Tue Jan 07, 2020 x x VeriSign Class 1 Primary CA #..25
Thu Dec 31, 2020 x Microsoft Root Authority
Thu Dec 31, 2020 x TC TrustCenter, Germany, Class 4 CA
Thu Dec 31, 2020 x x Thawte Personal Basic CA
Thu Dec 31, 2020 x x Thawte Personal Freemail CA
Thu Dec 31, 2020 x x Thawte Personal Premium CA
Thu Dec 31, 2020 x x Thawte Premium Server CA
Thu Dec 31, 2020 x x Thawte Server CA
giving a scorecard
n(Netscape-only)=40
n(Explorer-only)=12
n(both) =18
+--------------------
n(Netscape) =52
n(Explorer) =30
n(total-certs) =70
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Of course, it is particularly amusing to see which
ones expire on or about Y2K day, namely
expiration M N issuer
---------------- -- -- ----------------------------------
Fri Dec 31, 1999 x CertiSign BR
Fri Dec 31, 1999 x x GTE CyberTrust Root CA #00
Fri Dec 31, 1999 x Microsoft Authenticode(tm) Root
Fri Dec 31, 1999 x x VeriSign Class 1 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 2 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 3 Primary CA #..01
Fri Dec 31, 1999 x x VeriSign Class 4 Primary CA
Fri Dec 31, 1999 x Verisign Commercial Software Publishers CA
Fri Dec 31, 1999 x Verisign Individual Software Publishers CA
Fri Dec 31, 1999 x VeriSign/RSA Secure Server CA #..01
---------------- -- -- ----------------------------------
M=8 N=7
26% = --- --- = 13%
M=30 N=52
10
or, overall, -- = 14% of today's certs yield a Y2K event
70
Of these, the one that is sure to cause the most confusion
is the "Microsoft Authenticode(tm) Root" as it will cause
events for other unrelated programs.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
I'm also pretty astonished that so many firms, viz.
American Express, BelSign, Canada Post Corporation,
Equifax, GTE CyberTrust, GTIS/PWGSC, GlobalSign
Partners, IBM, Integrion, Microsoft, TC TrustCenter,
Thawte, and VeriSign would issue certs that are
valid beyond five years out. That is a pretty
strong bet on there being no dangerous progress
in number theory, computing horsepower, parallel
processing, etc.
The ones that are in the 2020 foresight group,
VeriSign, Microsoft, TC TrustCenter, and Thawte
really ought to have their heads examined or I'm
too dense to get the joke.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
None of this means terribly much but it does show
the state of the world and, like chewing gum, it
might absorb your idle cycles for a bit.
--dan
------- End of Forwarded Message
Current thread:
- Expiring root CA in web browsers --Y2K don Wang (Nov 24)
- Re: Expiring root CA in web browsers --Y2K neil lehrer (Nov 29)
- <Possible follow-ups>
- Re: Expiring root CA in web browsers --Y2K Dan Geer (Nov 29)