RE: Certificate / CPS issues
2003-06-10 15:20:00
--On Tuesday, 10 June, 2003 09:12 -0700 Christian Huitema
<huitema(_at_)windows(_dot_)microsoft(_dot_)com> wrote:
The procedures used to determine the list of certification
authorities in Windows XP, Internet Explorer and other
Microsoft products are documented at:
http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/security/news/rootcert.asp
Christian,
Others may respond differently, but I found one part of this
very interesting. The text says, in part:
When a user visits a secure Web site (that is, by using
HTTPS), reads a secure e-mail (that is, S/MIME), or
downloads an ActiveX control that uses a new root
certificate, the Windows XP certificate chain
verification software checks the appropriate Windows
Update location and downloads the necessary root
certificate. To the user, the experience is seamless.
The user does not see any security dialog boxes or
warnings. The download happens automatically, behind the
scenes.
Suppose a user has sufficient expertise and desire to make
individual evaluations of which CA certs to accept and from what
CAs. With the earlier model, she could look through the list,
adding and deleting root certs according to her preferences and
using Microsoft's acceptance of a given cert as a guide (to
whatever extent she saw that as appropriate). Now, if I read
this correctly, there is no more choice: any cert accepted by
Microsoft is automatically trusted by the desktop software and
the user can't say, e.g., "I know that XYZ Corp, who met
Microsoft's criteria, was just bought out by ABC Corp; I believe
that ABC are scum and don't want to trust any cert issued by any
subsidiary of theirs, even if it was issued pre-merger."
Conversely, if I'm part of an enterprise that issues its own
certs for internal purposes, it doesn't look as if I can make
those certs usable in the XP environment, since such internal
certs don't satisfy the "broad business value to Microsoft
platform customers" criterion and hence will not be accepted by
Microsoft for use in the specified environment.
I hope this is only part of the story, and that user options to
accept some certs (even if they are not accepted by Microsoft)
and reject others (even if they are accepted by Microsoft) still
exist in some usable form.
regards,
john
|
|