None of them appear in my Windows PC (Windows 7)…A Windows 7 PC has 38 Certificate Authority certificates installed. My Mac OS X Yosemite has 217 Certificate Authority certificates installed.
This is a poorly-reseasrched comparison, because Windows downloads root certificates when they are first encountered (see http://support.microsoft.com/kb/931125).
"When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. "
This means that Microsoft can add a new root certificate to a user's system at will.
I'd argue that this is actually much less secure, given that by default a Windows machine has an unauditable list of root certs, which change based on what Microsoft supplies. That means that a third-party (let's say a government) can force Microsoft to add an arbitrary root cert to the list, and a user's machine will blindly accept certificates signed by it!
Of course the entire model is broken, if you are looking for un-crackable end-to-end security.
The list of root certs is distributed as an update through Windows update. It is not just an on-demand root cert. An organization that vets updates before applying them to production systems will also need to vet such an update.
The updates are indeed very auditable. Any organization who chooses to selectively apply updates will not have new root certs appear out of channel.
Of course Microsoft needs to be able to update the root cert list. It has been used to remove certs as well (Diginotar). However, when they do so, it needs to be transparent. Windows Update is transparent. The very article you linked even goes into details about this.
Which means that your claim that "Microsoft can add a new root certificate to a user's system at will" is false. If you do not automatically install all updates or if you use WSUS, root certs will only be updates if you allow the update through.
The process outlined in your linked article describes how Windows will attempt to find and install the Windows Update package from the cert chain. This does NOT bypass the Windows Update mechanism; it merely looks for a package in the catalog with the root cert that was requested by following the chain.
So can Microsoft. The difference between Microsoft's "Search and pull" means that Apple needs to bump OS X's revision number or apply a Security Update, both which are visible as a red badge on the "Updates" tab of the Mac App Store. Microsoft doesn't need to even apply a super generic KB update.
This is a poorly-reseasrched comparison, because Windows downloads root certificates when they are first encountered (see http://support.microsoft.com/kb/931125).
"When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. "
This means that Microsoft can add a new root certificate to a user's system at will.
I'd argue that this is actually much less secure, given that by default a Windows machine has an unauditable list of root certs, which change based on what Microsoft supplies. That means that a third-party (let's say a government) can force Microsoft to add an arbitrary root cert to the list, and a user's machine will blindly accept certificates signed by it!
Of course the entire model is broken, if you are looking for un-crackable end-to-end security.