Re: MS root certificates update

Author	All Replies
Cronk join:2005-07-16 Denver, CO	reply to nwrickert Re: MS root certificates update OK thanks. I notice that when I check the certificate on a secure website (right click-properties), IE7 gives me the option to install the certificate. Is that essentially doing the same thing, but just for that website? Thanks
	to forum · permalink · · 2007-09-13 16:42:13 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	Not quite the same thing. The way certificates work, certain organization are considered to be CAs (certification agencies). A Web site uses a certificate. That certificate has been signed by a CA. If you have the CA certificate in your root certificate collection, you will automatically trust the web site whose certificate is signed by that CA. And if the certificate expires, and is replaced by a newer certificate signed by the same CA, you will trust that too. If you install the web site certificate, then that only works for that web site, and only until that certificate expires. Importing the root certificates is roughly the equivalent of deciding to trust Microsoft's judgement that certain CA are trustworthy. -- AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
	to forum · permalink · · 2007-09-13 17:36:50 ·
Cronk join:2005-07-16 Denver, CO	OK thanks for that info. Two questions now: 1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's? 2. When I am at a secure website that I am about to enter sensitive info into, is there any value in checking the certificate if there has not been any alert that popped up? Thanks
	to forum · permalink · · 2007-09-13 17:57:20 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	Is it generally considered ok to accept Microsoft's evaluation of CA's? Personally, I'm a critic of the whole system. But, practically speaking, you don't have much choice other than to accept them. You do have the option to mark individual root certificates untrusted. In practice you would probably only do that if you come across a reason to distrust a particular CA. is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning. -- AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
	to forum · permalink · · 2007-09-13 18:42:26 ·
Shady Bimmer Premium join:2001-12-03 Northport, NY clubs: ·Verizon FIOS ·Optimum Online	reply to Cronk said by Cronk : 1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's? It comes down to a matter of trust. When you install a root CA certificate as a trusted root certificate you are trusting all certificates issued in the tree below that certificate (a chain of trust). You don't need to install these, but for every individual certificate presented that does not have a path to a trusted root certificate you will be explicitly asked to accept or decline. You may be given the option to install that specific certificate as trusted as well. Microsoft offers to make this task simpler for you by putting together a set of root certificates they think you should trust. Basically they are presenting themselves as a 'super root' at the top of all trees/at the head of all chains of trust, but do you really trust them to make that decision for you? Many do not and some google searching will turn up quite a bit of discussion about this. If you have to ask whether you should trust them then likely the answer is no you should not trust M$. Alternatively, you can choose to obtain and install just those root certificates you trust by visiting the sites of those specific CAs when needed.
	to forum · permalink · · 2007-09-13 18:54:39 ·
Cronk join:2005-07-16 Denver, CO	reply to nwrickert Thanks for the replies. said by nwrickert : is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning. I've noticed the option when viewing a certificate to install it. Seems like to only reason to install it would be because an alert comes up, and you've decided to trust it and want to eliminate future alerts? Would that be correct? Thanks
	to forum · permalink · · 2007-09-13 19:06:43 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	That's the usual reason. I would suggest you avoid haste. Sometimes a certificate warning comes up because the server is misconfigured. The best way of correcting that is for the server admin to fix the broken configuration. If it is a server you are using regularly, such as your designated email server, then maybe add the certificate. If it is a server you visit infrequently, I would hesitate before adding it. -- AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5
	to forum · permalink · · 2007-09-13 19:18:52 ·
Cronk join:2005-07-16 Denver, CO	OK. Thanks again for the information.
	to forum · permalink · · 2007-09-13 21:06:46 ·


Thursday, 10-Dec 12:36:11	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF