Root\u00a0Stores are a database of root\u00a0certificates that a computer “trusts” as an issuer of SSL, Code Signing, and other X.509-standard certificates. This list of roots dictates what certificates your computer will automatically allow a connection with, or “trust.” Certificates originating from a root that is not on this list will have to be manually accepted, and are not practical for use on public websites or services.<\/p>\n
These root certificates belong to Certificate Authorities (CAs), which consists of a wide range of organizations, including well-known cyber security companies like Symantec and Comodo, to regional providers and government offices. The average user will only interact with certificates from a handful of these providers. But their devices, and hundreds of millions of other devices around the world still trust these certificates, which is often criticized as a security risk.<\/p>\n
Vendors either maintain their own root\u00a0store, or use an existing one. These root stores often have policies for acceptance, which include yearly audits and compliance reports to show that the CAs are following industry requirements.<\/p>\n
Microsoft and Apple maintain their own root\u00a0stores for their operating systems. Mozilla also operates one used by its Firefox browser and many Linux distributions.<\/p>\n
Operating Systems usually make changes to their trusted (and un-trusted) root certificates during major updates. Apple updates their trust store with every major release of Mac OS and iOS.<\/span><\/p>\n The newest version of Apple\u2019s Mac OS operating system – Version 10.12, or \u201cSierra\u201d – was\u00a0released last week; and iOS 10 was released the week before that.<\/p>\n Oftentimes this means the trusted root store is growing on each and every release. However, with Sierra and iOS 10, Apple’s trust store has actually gotten smaller.<\/p>\n Here are some quick facts about Apple’s trust store:<\/p>\n These changes are in comparison to the root certificates that were included with the previous version of Mac OS, El Capitan (10.11). The full list of root certificates comes directly from Apple. The certificate data below is directly from these Apple support pages: <\/span>Roots in Sierra<\/span><\/a> and <\/span>Roots in El Capitan<\/a>\u00a0(with the exception of the “EV Policy” column which has been simplified for formatting)<\/span>.\u00a0iOS 10 has the same Root\u00a0Store<\/a> as Sierra.<\/span><\/p>\n Apple\u2019s Root\u00a0Store has three lists\u00a0of certificates: Trusted, Always Ask, and Blocked. Always Ask certificates are \u201cuntrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.\u201d Blocked certificates are entirely unusable. This latest update has made changes to all three lists.<\/p>\n Without further ado, here are the changes:<\/span><\/p>\n Added in Mac OS Sierra\/iOS 10<\/b><\/p>\n\n
\n<\/span><\/li>\nChanges to Apple’s\u00a0Root Store<\/b><\/h2>\n
Trusted Root Certificates:<\/b><\/h2>\n