Cronk
join:2005-07-16
Denver, CO
| MS root certificates update
I see there is an optional Root Certificates update available from MS. The description is:
This item updates the list root certificates on your computer to the latest list that is accepted by Microsoft as part of the Microsoft Root Certificate Program.
What happens if you do not have the latest list of root certificates?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| What happens if you do not have the latest list of root certificates? You might occasionally get a certificate warning when visiting a secure (i.e. https) web site.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
Cronk
join:2005-07-16
Denver, CO | OK thanks.
I notice that when I check the certificate on a secure website (right click-properties), IE7 gives me the option to install the certificate. Is that essentially doing the same thing, but just for that website?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Not quite the same thing.
The way certificates work, certain organization are considered to be CAs (certification agencies).
A Web site uses a certificate. That certificate has been signed by a CA. If you have the CA certificate in your root certificate collection, you will automatically trust the web site whose certificate is signed by that CA. And if the certificate expires, and is replaced by a newer certificate signed by the same CA, you will trust that too.
If you install the web site certificate, then that only works for that web site, and only until that certificate expires.
Importing the root certificates is roughly the equivalent of deciding to trust Microsoft's judgement that certain CA are trustworthy.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
Cronk
join:2005-07-16
Denver, CO
| OK thanks for that info.
Two questions now:
1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's?
2. When I am at a secure website that I am about to enter sensitive info into, is there any value in checking the certificate if there has not been any alert that popped up?
Thanks |
|
AB
Premium
join:2006-04-04
Leesburg, VA | reply to Cronk
»MS restores root certificates that users distrust and remove |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Cronk
Is it generally considered ok to accept Microsoft's evaluation of CA's? Personally, I'm a critic of the whole system. But, practically speaking, you don't have much choice other than to accept them.
You do have the option to mark individual root certificates untrusted. In practice you would probably only do that if you come across a reason to distrust a particular CA.
is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to AB
MS restores root certificates that users distrust and remove Not a big deal. Just mark the certificates a untrusted, and don't try to remove them. |
|
Shady Bimmer
Premium
join:2001-12-03
Northport, NY
clubs:
·Verizon FIOS
 ·Optimum Online
| reply to Cronk
said by Cronk  :1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's? It comes down to a matter of trust.
When you install a root CA certificate as a trusted root certificate you are trusting all certificates issued in the tree below that certificate (a chain of trust). You don't need to install these, but for every individual certificate presented that does not have a path to a trusted root certificate you will be explicitly asked to accept or decline. You may be given the option to install that specific certificate as trusted as well.
Microsoft offers to make this task simpler for you by putting together a set of root certificates they think you should trust. Basically they are presenting themselves as a 'super root' at the top of all trees/at the head of all chains of trust, but do you really trust them to make that decision for you? Many do not and some google searching will turn up quite a bit of discussion about this. If you have to ask whether you should trust them then likely the answer is no you should not trust M$.
Alternatively, you can choose to obtain and install just those root certificates you trust by visiting the sites of those specific CAs when needed. |
|
Cronk
join:2005-07-16
Denver, CO
| reply to nwrickert
Thanks for the replies.
said by nwrickert :is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning. I've noticed the option when viewing a certificate to install it. Seems like to only reason to install it would be because an alert comes up, and you've decided to trust it and want to eliminate future alerts? Would that be correct?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| That's the usual reason.
I would suggest you avoid haste. Sometimes a certificate warning comes up because the server is misconfigured. The best way of correcting that is for the server admin to fix the broken configuration.
If it is a server you are using regularly, such as your designated email server, then maybe add the certificate. If it is a server you visit infrequently, I would hesitate before adding it.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
Cronk
join:2005-07-16
Denver, CO | OK.
Thanks again for the information. |
|
