I also noticed this issue when evaluating the latest MWG v7 appliance as well. I went to www.me.com (Apple) and the root cert is a Versign one so is OK, but its content comes from one of 4 servers signed with certs from Comodo that aren't in the Default Known Certificate Authorities list. My UK ISP, eclipse.net.uk uses QuoVadis certs. Again they are not in the list.
I read in one of the MWG 7.1 pdf guides that the Default Known Certificate Authorities list is populated with entries based on a list maintained by the Open SSL group.
Choosing a list with little over 100 root certs can't be a good choice by any stretch of the imagination. It also appears, based on what little docuementation is available on this in the Product Guide, that the only way to update the list is through manual intervention.
So in my opinion this part of the McAfee Web Gateway is ripe for automation & maintenance through the update process. A product enhancement possibly!!!???
In my own org I can see my supplier charging on a per incident base to add new root cert authorities, etc to the list of knows. That is expensive when I've paid for the MWG product to do the same, or so I thought.
I think this lack of functionality will stop me upgrading to V7 soon because of the potential business impacts on my users as sites they use frequently are rejected by the SSL Scanner.
I'm very interested to know what McAfee propose to do about this?
this problem has been present for a long time and I am one of the guys working on it. We have established an internal "Root CA Store", which is maintained actively and monitored. We also export this into a list, that MWG can read.
In one of the next builds you will be able to actively subscribe to this list, which means you get a recent list of Root CAs and active maintenance, which means
- add new Root CAs
- remove expired Root CAs
- remove compromised Root CAs
- maintain CRL URIs
Once this is available in the product you can relax and let us do this work for you :-)
The only thing we currently need is some more time for testing, but the feature is as-good-as done.
is it possible to get some notice when this feature will be "RTM" ? I am also one of the candidate that would desperatelly need a bigger / extened list of CA Root Authorities...
Already there for few months
Great news Andre,
I appreciate the update and news that you guys are working on this feature
I am looking forward to provide our customers with the updated and updatable list. It has been a pain in the past. We are still in a process of testing but I think we may be able to provide a recent list, maybe without the automatic update feature, but that will be attached to the list later on.
I will let the community know once there are any news :-)
any news on this?
unfortunately not yet. We are pretty much done with building the content - now waiting for a build that is able to deal with the content. This will take some more time, unfortunately :-(