| reply to Cronk
Re: MS root certificates update said by Cronk:1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's? It comes down to a matter of trust.
When you install a root CA certificate as a trusted root certificate you are trusting all certificates issued in the tree below that certificate (a chain of trust). You don't need to install these, but for every individual certificate presented that does not have a path to a trusted root certificate you will be explicitly asked to accept or decline. You may be given the option to install that specific certificate as trusted as well.
Microsoft offers to make this task simpler for you by putting together a set of root certificates they think you should trust. Basically they are presenting themselves as a 'super root' at the top of all trees/at the head of all chains of trust, but do you really trust them to make that decision for you? Many do not and some google searching will turn up quite a bit of discussion about this. If you have to ask whether you should trust them then likely the answer is no you should not trust M$.
Alternatively, you can choose to obtain and install just those root certificates you trust by visiting the sites of those specific CAs when needed. |
