91 lines
5.2 KiB
Markdown
91 lines
5.2 KiB
Markdown
# Symantec Certificates
|
|
|
|
This directory contains the set of known active and legacy root certificates
|
|
that were operated by Symantec Corporation. In order for certificates issued
|
|
from these roots to be trusted, it is required that they comply with the
|
|
policies outlined at <https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html>.
|
|
|
|
The exceptions to this are:
|
|
* Pre-existing independently operated sub-CAs, whose keys were and are not
|
|
controled by Symantec and which maintain current and appropriate audits.
|
|
* The set of Managed CAs in accordance with the above policies.
|
|
|
|
In addition to the above, no changes exist from the Certificate Transparency
|
|
requirement outlined at <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html>
|
|
|
|
## Implementation Details
|
|
|
|
Policies related to these certificates are based on the hash of the
|
|
subjectPublicKeyInfo, rather than of the certificate, and without considering
|
|
the Subject Distinguished Name.
|
|
|
|
The choice of using subjectPublicKeyInfo is two-fold:
|
|
|
|
* If there are any concerns with the how the key material has been protected,
|
|
those concerns apply to all subject names, not just the known subject names.
|
|
By limiting trust in the SPKI, the underlying issue is addressed. This also
|
|
helps address any concerns with potential cross-signs in the future, as has
|
|
been seen in past CA remediation efforts.
|
|
* Simultaneously, if there are no concerns with the SPKI, such as due to being
|
|
on the exclusions list, then we want to ensure ecosystem flexibility in the
|
|
event that the certificates themselves need to be reissued. The most likely
|
|
cause for reissusance of Excluded Sub-CAs may be presumed to be either
|
|
expiration or due to wanting to add additional extensions (such as to reduce
|
|
the scope of issuance). To avoid unduly limiting the ecosystem flexibility
|
|
in the event of those changes, excluding by SPKI allows for some limited
|
|
agility, while being grounded in the objective evaluation of the key and how
|
|
the key material has been operated and protected. In the context of Managed
|
|
CAs, this ensures that additional (effectively cross-signed) versions of the
|
|
Managed Partner Infrastructure can be introduced as needed, while ensuring no
|
|
additional code changes or updates are necessary.
|
|
|
|
Thus, identifying 'roots' (which may appear anywhere in the chain) by SPKI help
|
|
ensure the appropriate restrictions are applied, regardless of cross-signs or
|
|
self-signed variations, while identifying 'exclusions' by SPKI helps ensure the
|
|
necessary flexibility to respond to ecosystem changes.
|
|
|
|
## Roots
|
|
|
|
The full set of roots are in the [roots/](roots/) directory, organized by
|
|
SHA-256 hash of the certificate file.
|
|
|
|
The following command can be used to match certificates and their key hashes:
|
|
|
|
`` for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``
|
|
|
|
## Excluded Sub-CAs
|
|
|
|
### Apple
|
|
|
|
[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1917)
|
|
[Certification Practices Statement](http://images.apple.com/certificateauthority/pdf/Apple_IST_CPS_v2.0.pdf)
|
|
|
|
* [17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem](excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem)
|
|
* [3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem](excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem)
|
|
* [6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem](excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem)
|
|
* [904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem](excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem)
|
|
* [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem)
|
|
* [a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem](excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem)
|
|
|
|
### DigiCert
|
|
|
|
[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=2228)
|
|
[Certification Practices Statement](https://www.digicert.com/CPS)
|
|
|
|
* [8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem](excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem)
|
|
* [b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem](excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem)
|
|
|
|
### Google
|
|
|
|
[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941)
|
|
[Certification Practices Statement](http://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.3.pdf)
|
|
|
|
* [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem)
|
|
|
|
## Excluded Managed CAs
|
|
|
|
### DigiCert
|
|
|
|
* [7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem](managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem)
|
|
* [ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem](managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem)
|