Yoav Nir wrote:
This sounds great at an IETF mike, but out in the field how do you
get all those millions of browsers to pull down a new trust list
that will no longer include CA foobar?
Can't happen now, and the way things are going, ain't going to
happen before 2026 either.
There's this one company such that if they use Windows update to
update their browsers, the others will follow. Technically, it's very
easy to get rid of the bad CAs. However, that company is not going to
modify their browsers, not now, probably not in the next few years.
I hate to burst your bubble, but there's no automated way to *remove*
certs from the MS cert store. You have to script it, and the script can
fail any number of different ways.
The only reliable way to nuke a trusted cert from Windows is touch
management of workstations.
Description: S/MIME Cryptographic Signature