Root Certificate Update

I noticed  also in the Microsoft updates in the other software. That there is a root certificate update.
I see it is not critical, but once i install it... I cannot remove it. How important is this since it is not critical?  Here is the info below:

Update for Root Certificates [May 2009] (KB931125)
Date last published: 5/26/2009
Download size: 300 KB  
This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. Adding additional root certificates to your computer enables you to use Extended Validation (EV) certificates in Internet Explorer 7, a greater range of security enhanced Web browsing, encrypted e-mail, and security enhanced code delivery. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.
System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you intend to use any of the services that derive their trust from the added certificates, you need to install this update.

rant: what they (M$) should do is add to the root cert storage. I miss having a low cost option for .org type domain certs that is accepted by default.
ParanormasticCryptographic EngineerCommented:
Basically you shouldn't apply the full root update unless you trust them all.  If you trust them, then you should not stop trusting them except in extreme situations.  You can still remove individual root certs manually from Certificates MMC if desired.

It is not critical because the system will still function without them and you are not exposed to any risk by not having them installed.  They make surfing the web more convenient.

>> rant: what they (M$) should do is add to the root cert storage. I miss having a low cost option for .org type domain certs that is accepted by default.

No, they shouldn't.  There are plenty of low cost options, e.g. GoDaddy, for legitimate certs. runs a fine show, don't get me wrong I even recommend them at times when appropriate, but they should not be included into any root program because they do not have proper auditing against the WebTrust standard.  If they can ever get enough public funding or donations to offset this very expensive cost (hundreds of thousands annually), then Microsoft and all the others would likely be happy to accept them as long as they issue under the conditions of their respective programs, which are publicly displayed, reasonable, and fair.  CACert knows this and understands this and actually has getting webtrust certified at some point - we'll see if they are ever successful.  Keep in mind that the cost of the auditing is in addition to an already expensive operation of running a properly secured CA, which if they weren't they wouldn't deserve to get in anyways.  A high end PKI can easily run well over a million dollars annually between CA staff, hardware, power, security monitoring, offsite storage, hot site costs, and so forth, and if the company only does that then the management/HR/etc. salary overhead will probably triple that at best.  </end rant>
jackm1Author Commented:
When you say the cetificate makes surfing the web more convenient. That means when I hit a site that is asking me for a Ca  it won't prompt me... Am I correct?
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

ParanormasticCryptographic EngineerCommented:
If it is in that update, yes.
more rant:
... just that it is my opinion that _it is possible_ to run a CA (like now) with some help from volunteering enthusiasts boasting better security than many of the CAs already in the list and not having to shell out millions.

in the end, the enduser should decide if he trusts a CA. WebTrust certified partners rent some of their reputation from for a lot of dough, nothing more. Should they pass the certification and from there on in relax their stance, I as an end user, would be better off with a CA that has a steady track following their own security guidelines known to user. I still think that M$'s reluctance to approve CAcert into their root cert store is rather their intent to make it all harder for OSS movement.
ParanormasticCryptographic EngineerCommented:
It just isn't feasible to do it for that, unless some very expensive key costs are donated/volunteered - even then it is debatable if it would still get under a cool mil.

 - at least half a dozen servers and associated software minimum - for redundancy this will likely be quite a bit more.  You need a root CA, should have a policy CA (but can get by in some cases without), at least one issuing CA, OCSP responders, OCSP proxies, web servers for the front end, and a dedicated backup server and robot.
 - Routers, switches, cabling, etc. - nothing really fancy is required here, but it factors in
 - HSM - these run many thousands of dollars with thousands of dollars for annual support contracts.  HSM cards are typically about 5-10k a piece, a networked device is over 30k.  There are a few cheaper solutions, but they probably won't fit the bill for what is required.
 - Time stamping server, likely including a clock appliance - these run over 60k
 - Tape devices and tapes
 - double all this for disaster recovery site
 - double again for testing environment
 - secured transportation with chain of custody documentation
 - secured servers for storing all kinds of stuff.
 - a secured room at each site with multiple person entry requirements.   your standard server room isn't good enough.
 - video survellaince
 - security guards
 - all normal building expenses
 - offsite backup storage expenses
 - UPS, power drops, power cost, on-site generator
 - at least 10 people and all the associated salaries - not to mention HR, payroll, sales, marketing and all that.  Granted, this could be somewhat offset if the company does other things.  Oh, and add to that the registration authorities and the costs of whatever validity checks they perform.
 - independant auditors - unless you are a government you are going to shell out a minimum US$200k annually for a webtrust certified auditing firm.  As mentioned before, without webtrust you aren't going to get into any root programs.  MS and a couple other accept a couple other audit guidelines, but most don't.  Even these other ones are going to be just as expensive.
 - lawyers
 - insurance

And that's just off the top of my head.  there's a lot more, but most of it is relatively minor in comparison to the above.

Yes - it is possible that through donations, grant money, etc., that CACert could get the finances to do this and get included.  I actually hope they do as well as these folks actually seem to understand what they are doing.  But unless everyone is working for dirt cheap or volunteering it just isn't feasible.  And even if they are, they will still be shelling out a pretty good chunk of cash, even with everything donated and volunteered there are other required commercial expenses.

Running a basic CA that is fine for internal use costs a whole lot less - a true professional setup is very expensive.  Trust me - I am part of a team that runs a couple of them - I know what I'm talking about.  We just dropped almost a million for our 3 PKIs to expand to meet new requirements and as a technology refresh.

CACert is taking advantage of the fact that they are a non-profit and are circumventing some of the normal security practices for the root programs out there.  They have already been added to a number of smaller products (, just nothing particularily major like IE or FF, although they are getting closer to FF although they still do not meet mozilla's non-webtrust audit requirements (which is normal for a startup, but CACert has been around for almost a decade now).  I feel that they are also getting around the 'independent' auditor since the auditor is not financially compensated since they are another non-profit ("auditor for cacert") (although their auditor dropped out since it was too much work).  it gets a little fuzzy just how objective that person really was - for the sake of not starting a messy discussion we'll assume he was and I don't have anything factual to state to the contrary on this topic, only personal speculation.

The thing here is that everyone wants everything for free, but very few people are willing to do that.  And then comes the realizatio that free isn't even free.  CAcert asks for a standard donation of AUS$50 (although they will be happy to accept any amount) - that's US$40.  If you just needed one cert and felt obligated to support their cause this is more than a godaddy cert!  Granted you don't have to pay, but if nobody does, then cacert goes bye-bye.

>> in the end, the enduser should decide if he trusts a CA
Yes, but most people aren't qualified to make that decision in a well-informed way, so root programs exist.  Home user trusts MS or Apple so they get their computer with their OS with the standard browser, from that trust they inherit trust to the roots in the respective programs.

>>I as an end user, would be better off with a CA that has a steady track following their own security guidelines known to user
All commercial CA's have their policies publicly available in their Certificate Policy (CP) and some also publish their Certificate Practices Statement (CPS) although some consider this sensitive information.  This is so that the individual user can make an informed decision regarding their policy to establish trust.  A few even publish their audit reports, although most consider this sensitive, however knowing what the standards are give a higher level of confidence when they acheive accreditation based on a well known stand such as webtrust.

>>I still think that M$'s reluctance to approve CAcert into their root cert store is rather their intent to make it all harder for OSS movement.
That's riduculous.  You want extra security and better practices, yet you chastize MS for doing just that with their root program requirements.  Even the open source heroes, Mozilla, have yet to access CACert.  I wish more linux folks could get off their high-penguin and realize there is a lot more to the world than bashing MS, fun as it may be.  Does MS do some things I think they could better at - yes.  Do I think that most OSS is absolute unmanageable and/or useless junk - yes.  Do I think that all OSS is junk - no (OpenSSL, Gimp, OpenOffice, and a very few other things, although at least some distributions are finally getting to be almost bearbable).

Its funny... MS = capitalism at its finest (regardless of quality of product, they rake in the cash).  OSS = communism/socialism - it works if everyone supports it and still manages to give something resembling an effort, but there is no real incentive to produce or provide quality beyond showing off.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tolomir, doesn't my very first sentence give a sufficient answer to the original question? ("How important is this since it is not critical?")

I do, however, applaud the Paranormastic's efforts and his comments should be nominated for an award of some kind :)

so, add the first (#24744665) as an assisted solution, at least.. maybe? :P
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.