An interesting question though I wonder how much it matters. Your browser will trust some unknowable number of intermediaries signed by the roots. How many root-signed signing certs exist in the wild?
Or, there is ONE root cert for windows. MS then effectively signed the other roots, making them all intermediaries. The root store is really the “first level intermediary cert cache”.
It matters because if you control the computer, you should be able to review the certs it trusts and remove any CAs who do not pass your requirements. This is a fundamental feature for those who care about controlling their systems (mostly enterprise clients).
MS does not have a single root cert, as a lot of users care about customizing whom they trust to certify other organizations. You trust your operating system to make a piece of software that does what you expect and to patch security vulnerabilities as they come to light. You do not need to trust your OS maker to verify root certificates. They have their default recommendations, but they are not and were never meant to be the final judge of what root certificates to trust, as that can vary from one user to another.
I’m a little skeptical about the accusations in this article, as they’re pretty extreme. I think Microsoft of all companies should understand their place in the software stack, and certainly many of their enterprise users care about customizing the root certificate list and would be outraged if this were true.
Of course. Sorry I conflated the two. If the Windows UI is similar to OS X, hiding trusted certs from the certs list would prevent you from changing their trust levels to “do not trust” (i.e. blacklisting them), as well.
An interesting question though I wonder how much it matters. Your browser will trust some unknowable number of intermediaries signed by the roots. How many root-signed signing certs exist in the wild?
Or, there is ONE root cert for windows. MS then effectively signed the other roots, making them all intermediaries. The root store is really the “first level intermediary cert cache”.
It matters because if you control the computer, you should be able to review the certs it trusts and remove any CAs who do not pass your requirements. This is a fundamental feature for those who care about controlling their systems (mostly enterprise clients).
MS does not have a single root cert, as a lot of users care about customizing whom they trust to certify other organizations. You trust your operating system to make a piece of software that does what you expect and to patch security vulnerabilities as they come to light. You do not need to trust your OS maker to verify root certificates. They have their default recommendations, but they are not and were never meant to be the final judge of what root certificates to trust, as that can vary from one user to another.
I’m a little skeptical about the accusations in this article, as they’re pretty extreme. I think Microsoft of all companies should understand their place in the software stack, and certainly many of their enterprise users care about customizing the root certificate list and would be outraged if this were true.
If you care, you need to use the blacklist feature. Not audit the whitelist.
You see a rumor on Twitter that the SleazeCert may be compromised. Oh no. Better check your root list. Whew. It’s not there. Are you safe?
Well, your root list does contain the TrustDaddy cert, which has signed the SleazeCert. So, no, not safe.
Certificate Transparency may help, but we’re not there yet.
Of course. Sorry I conflated the two. If the Windows UI is similar to OS X, hiding trusted certs from the certs list would prevent you from changing their trust levels to “do not trust” (i.e. blacklisting them), as well.