User profile for user: AeroBB
AeroBB Author
User level: Level 1
8 points

How does Apple decide to include root certificates in "macOS Trust Store"

Looking to taking a view on the relevance of particular root certificates to my circumstances.

e.g. Under what circumstances is the Hong Kong Post Office relevant to somebody in Northern Europe.

Acknowledge Apple has a world wide customer base, however would like to better understand the rationale and risks associated with the Apple decision making process. Worth noting the comprehensive documentation and policy available on Apple's own PKI capability.

Is there any published policy or strategic overview on how non Apple root certificates are included in the MacOs Trust Store?

Posted on Nov 23, 2019 4:52 AM

Reply

Similar questions

3 replies
User profile for user: Barney-15E
Barney-15E
User level: Level 10
123,452 points

Nov 23, 2019 5:20 AM in response to AeroBB

I don’t know where to find such a policy.

Root CAs have little to do with where in the world you are. They are used to validate certificates you receive or certificates used for securing a web site. You are probably correct that you would never connect to a site that uses a certificate issued by the Hong Kong Post Office, but it is not out of the question.

Reply
User profile for user: AeroBB
AeroBB Author
User level: Level 1
8 points

Nov 24, 2019 4:55 AM in response to Barney-15E

Thanks Barney-15E

Noted and understand the geographic freedom of Root CAs.

However as you point out it is the secure website certificate that is underpinned by the root CA.

As there does not appear to be a rationale for inclusion in the Apple list assessment of the risk associated with each root CA matches particular needs or appetite for risk. So has the Hong Kong Post office been included because they are a worldwide trusted Root CA or because they are one of the best administered for that geographic region? Who knows.

Thus if anybody wants to apply, admittedly crude, geo ring fencing you might not want to trust any site in that trust chain, without case by case confirmation. The potential effectiveness of this approach will depend upon Apple's rationale for inclusion in the trusted list. Apple to give them credit does publish its own CPS indicating a commendable level of transparency, therefore why not the principles of how the Trusted Root CA list is compiled and how any appropriate categorisation may be applied. (note it may be tricky to detail each specific decision). With all the care and attention Apple takes in the security realm it is inconceivable that such a rationale does not exist, just that it does not appear to be published - unless somebody can share/point to a source. :)

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How does Apple decide to include root certificates in "macOS Trust Store"

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up