HT202858: Lists of available trusted root certificates in OS X

Learn about Lists of available trusted root certificates in OS X
Kurt Friis
Level 1 (4 points)
iCloud

Q: How to manage the officially Yosemite trusted certificates

I've read the article:

 

HT202858: OS X Yosemite: List of available trusted root certificates

 

and it's - probably - complete, but...

 

There are in total 214 entries in my System Roots list of valid Certificates. Some of them dubious, some from governments that are not even trusted by their own people, and some next to "anonymous" in content. This amount of "trust" is plain crazy. Over 200 "trusted" certificates makes a mockery of the whole CA system.

 

Anyone know of a software, that allows:

 

     1. Compare this list with the official Apple certified list? It's pure **** to do it manually.

 

     2. Enable bulk export and blocking of certificates based on i.e. country, region etc. I see no reason to have basic trust of more than a few handfull of CA's.

 

It would have been nice, if I could just activate an "ask before trusting", allowing me to decide, which certificates I need to trust, and which not. As it is, I can either "always accept" and "never accept"; neither is really a help. I see no reason for trusting some of the more obscure CA's from the list, and in Europe trust of a DoD Root certificate maybe is not advisable in general use. I've just removed my trust for the CA of the chinese reailways. I have to start somewhere. Maybe a few turkish, far east, basque and other obscure CA issuers should be treated the same way. In addition to the usual culprits representing DoD, GCHQ, NSA and other suspect agencies and organisations with three or four letter names.

 

Maybe I never need to trust them - who knows?

 

There seems to exist a list, that is maintained under this link:

 

     https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe

 

but I do not know how trustworthy and reliable the "removal" process is. Has anyone tested the shell scripts for Mac?

 

Would you trust more than 20, 25 or - tops - 30 CA's from a select range of countries? You'll have to, but the current and extremely inflexible system makes a mockery of the whole CA mechanism. Especially in a world where most governments - if not all - are decidedly untrustworthy.

 

Regards

MacBook Pro (Retina, 13-inch, Late 2012), OS X Yosemite (10.10.1), Trusted root certificates

Posted on Jan 7, 2015 7:21 PM