Cronk
join:2005-07-16
Denver, CO
| reply to nwrickert
Re: MS root certificates update
OK thanks for that info.
Two questions now:
1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's?
2. When I am at a secure website that I am about to enter sensitive info into, is there any value in checking the certificate if there has not been any alert that popped up?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Is it generally considered ok to accept Microsoft's evaluation of CA's? Personally, I'm a critic of the whole system. But, practically speaking, you don't have much choice other than to accept them.
You do have the option to mark individual root certificates untrusted. In practice you would probably only do that if you come across a reason to distrust a particular CA.
is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
Shady Bimmer
Premium
join:2001-12-03
Northport, NY
clubs:
·Verizon FIOS
 ·Optimum Online
| reply to Cronk
said by Cronk  :1. I assume the CA's are places like Verisign. Is it generally considered ok to accept Microsoft's evaluation of CA's? It comes down to a matter of trust.
When you install a root CA certificate as a trusted root certificate you are trusting all certificates issued in the tree below that certificate (a chain of trust). You don't need to install these, but for every individual certificate presented that does not have a path to a trusted root certificate you will be explicitly asked to accept or decline. You may be given the option to install that specific certificate as trusted as well.
Microsoft offers to make this task simpler for you by putting together a set of root certificates they think you should trust. Basically they are presenting themselves as a 'super root' at the top of all trees/at the head of all chains of trust, but do you really trust them to make that decision for you? Many do not and some google searching will turn up quite a bit of discussion about this. If you have to ask whether you should trust them then likely the answer is no you should not trust M$.
Alternatively, you can choose to obtain and install just those root certificates you trust by visiting the sites of those specific CAs when needed. |
|
Cronk
join:2005-07-16
Denver, CO
| reply to nwrickert
Thanks for the replies.
said by nwrickert :is there any value in checking the certificate if there has not been any alert that popped up? Probably not, unless you have specific reason for concern. The main time you would inspect a certificate is if there was a warning and you are trying to decide whether it is safe to ignore the warning. I've noticed the option when viewing a certificate to install it. Seems like to only reason to install it would be because an alert comes up, and you've decided to trust it and want to eliminate future alerts? Would that be correct?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| That's the usual reason.
I would suggest you avoid haste. Sometimes a certificate warning comes up because the server is misconfigured. The best way of correcting that is for the server admin to fix the broken configuration.
If it is a server you are using regularly, such as your designated email server, then maybe add the certificate. If it is a server you visit infrequently, I would hesitate before adding it.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5 |
|
Cronk
join:2005-07-16
Denver, CO | OK.
Thanks again for the information. |
|
