RE: Certificate / CPS issues

--On Tuesday, 10 June, 2003 09:12 -0700 Christian Huitema<huitema(_at_)windows(_dot_)microsoft(_dot_)com> wrote:

The procedures used to determine the list of certification
authorities in Windows XP, Internet Explorer and other
Microsoft products are documented at:

http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/security/news/rootcert.asp


Christian,

Others may respond differently, but I found one part of thisvery interesting. The text says, in part:


        When a user visits a secure Web site (that is, by using
        HTTPS), reads a secure e-mail (that is, S/MIME), or
        downloads an ActiveX control that uses a new root
        certificate, the Windows XP certificate chain
        verification software checks the appropriate Windows
        Update location and downloads the necessary root
        certificate. To the user, the experience is seamless.
        The user does not see any security dialog boxes or
        warnings. The download happens automatically, behind the
        scenes.

Suppose a user has sufficient expertise and desire to makeindividual evaluations of which CA certs to accept and from whatCAs. With the earlier model, she could look through the list,adding and deleting root certs according to her preferences andusing Microsoft's acceptance of a given cert as a guide (towhatever extent she saw that as appropriate). Now, if I readthis correctly, there is no more choice: any cert accepted byMicrosoft is automatically trusted by the desktop software andthe user can't say, e.g., "I know that XYZ Corp, who metMicrosoft's criteria, was just bought out by ABC Corp; I believethat ABC are scum and don't want to trust any cert issued by anysubsidiary of theirs, even if it was issued pre-merger."

Conversely, if I'm part of an enterprise that issues its owncerts for internal purposes, it doesn't look as if I can makethose certs usable in the XP environment, since such internalcerts don't satisfy the "broad business value to Microsoftplatform customers" criterion and hence will not be accepted byMicrosoft for use in the specified environment.

I hope this is only part of the story, and that user options toaccept some certs (even if they are not accepted by Microsoft)and reject others (even if they are accepted by Microsoft) stillexist in some usable form.


regards,
    john

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Certificate / CPS issues, (continued) RE: Certificate / CPS issues, Haren Visavadia RE: Certificate / CPS issues, Haren Visavadia RE: Certificate / CPS issues, Haren Visavadia Re: Certificate / CPS issues, Anthony Atkielski RE: Certificate / CPS issues, Christian Huitema RE: Certificate / CPS issues, Hallam-Baker, Phillip RE: Certificate / CPS issues, Einar Stefferud RE: Certificate / CPS issues, Hallam-Baker, Phillip RE: Certificate / CPS issues, Einar Stefferud RE: Certificate / CPS issues, Christian Huitema RE: Certificate / CPS issues, John C Klensin <= Re: Certificate / CPS issues, Anthony Atkielski Re: Certificate / CPS issues, John C Klensin Re: Certificate / CPS issues, Anthony Atkielski Re: Certificate / CPS issues, Haren Visavadia Re: Certificate / CPS issues, Anthony Atkielski Re: Certificate / CPS issues, Haren Visavadia Re: Certificate / CPS issues, Haren Visavadia Re: Certificate / CPS issues, Anthony Atkielski RE: Re: Certificate / CPS issues, Haren Visavadia Re: Certificate / CPS issues, Haren Visavadia