John writes:
This appears to be relatively new.
The policies on shipping certificates with the product or making them
available via MS updates may be recent. The mechanism of handling them in
software has been around for a long time. You can see the certificates in
the Internet options in MSIE, and you can add or delete top-level CAs at
your discretion. The current versions of MSIE and Windows ship with a
truckload of pre-loaded top-level CAs, I'm afraid.
It isn't clear, from either the article or
his note, how much of it is deployed already.
I see dozens of CAs defined in MSIE on XP and even on NT, so I'd say it is
well deployed.
It is linked, the article says, to Win XP
and not to IE -- there are different procedures,
it says, for IE under Win 2000, ME and earlier
than are proposed (apparently going forward)
for XP.
XP has an auto update feature; that may be the difference. They are all in
the Internet options dialog for configuration, however, as far as I know.
It strongly implies that, if there are options
to control this, they are (will be?) Windows
options, not (specifically) IE options (although
IE might well be able to access them).
Same thing, almost. Calling up the Internet options from the Configuration
Panel in Windows brings up the same dialog as calling them up from MSIE or
Outlook Exprss.
... I have no idea whether there is an easily=
accessible option that permits turning "ask
me before installing a cert" on, or what
information that question provides.
It hasn't often happened, but I seem to recall being asked if I wanted to
install a new top-level certificate. You can examine the certificate before
approving it.
And, unless you are in a position to speak
authoritatively for Microsoft,...
Not anymore.