Solved

Root Certificate Update

Posted on 2009-06-29
9
524 Views
Last Modified: 2012-05-07
I noticed  also in the Microsoft updates in the other software. That there is a root certificate update.
I see it is not critical, but once i install it... I cannot remove it. How important is this since it is not critical?  Here is the info below:

Update for Root Certificates [May 2009] (KB931125)
Date last published: 5/26/2009
Download size: 300 KB  
This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. Adding additional root certificates to your computer enables you to use Extended Validation (EV) certificates in Internet Explorer 7, a greater range of security enhanced Web browsing, encrypted e-mail, and security enhanced code delivery. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.
System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
 
0
Comment
Question by:jackm1
  • 3
  • 3
9 Comments
 
LVL 8

Assisted Solution

by:jako
jako earned 150 total points
ID: 24744665
If you intend to use any of the services that derive their trust from the added certificates, you need to install this update.

rant: what they (M$) should do is add CAcert.org to the root cert storage. I miss having a low cost option for .org type domain certs that is accepted by default.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24746112
Basically you shouldn't apply the full root update unless you trust them all.  If you trust them, then you should not stop trusting them except in extreme situations.  You can still remove individual root certs manually from Certificates MMC if desired.

It is not critical because the system will still function without them and you are not exposed to any risk by not having them installed.  They make surfing the web more convenient.

>> rant: what they (M$) should do is add CAcert.org to the root cert storage. I miss having a low cost option for .org type domain certs that is accepted by default.

No, they shouldn't.  There are plenty of low cost options, e.g. GoDaddy, for legitimate certs.  CACert.org runs a fine show, don't get me wrong I even recommend them at times when appropriate, but they should not be included into any root program because they do not have proper auditing against the WebTrust standard.  If they can ever get enough public funding or donations to offset this very expensive cost (hundreds of thousands annually), then Microsoft and all the others would likely be happy to accept them as long as they issue under the conditions of their respective programs, which are publicly displayed, reasonable, and fair.  CACert knows this and understands this and actually has getting webtrust certified at some point - we'll see if they are ever successful.  Keep in mind that the cost of the auditing is in addition to an already expensive operation of running a properly secured CA, which if they weren't they wouldn't deserve to get in anyways.  A high end PKI can easily run well over a million dollars annually between CA staff, hardware, power, security monitoring, offsite storage, hot site costs, and so forth, and if the company only does that then the management/HR/etc. salary overhead will probably triple that at best.  </end rant>
0
 

Author Comment

by:jackm1
ID: 24747062
When you say the cetificate makes surfing the web more convenient. That means when I hit a site that is asking me for a Ca  it won't prompt me... Am I correct?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24749639
If it is in that update, yes.
0
 
LVL 8

Expert Comment

by:jako
ID: 24753518
more rant:
... just that it is my opinion that _it is possible_ to run a CA (like CAcert.org now) with some help from volunteering enthusiasts boasting better security than many of the CAs already in the list and not having to shell out millions.

in the end, the enduser should decide if he trusts a CA. WebTrust certified partners rent some of their reputation from CICA.ca for a lot of dough, nothing more. Should they pass the certification and from there on in relax their stance, I as an end user, would be better off with a CA that has a steady track following their own security guidelines known to user. I still think that M$'s reluctance to approve CAcert into their root cert store is rather their intent to make it all harder for OSS movement.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 350 total points
ID: 24756431
It just isn't feasible to do it for that, unless some very expensive key costs are donated/volunteered - even then it is debatable if it would still get under a cool mil.

Hardware:
 - at least half a dozen servers and associated software minimum - for redundancy this will likely be quite a bit more.  You need a root CA, should have a policy CA (but can get by in some cases without), at least one issuing CA, OCSP responders, OCSP proxies, web servers for the front end, and a dedicated backup server and robot.
 - Routers, switches, cabling, etc. - nothing really fancy is required here, but it factors in
 - HSM - these run many thousands of dollars with thousands of dollars for annual support contracts.  HSM cards are typically about 5-10k a piece, a networked device is over 30k.  There are a few cheaper solutions, but they probably won't fit the bill for what is required.
 - Time stamping server, likely including a clock appliance - these run over 60k
 - Tape devices and tapes
 - double all this for disaster recovery site
 - double again for testing environment
 - secured transportation with chain of custody documentation
 - secured servers for storing all kinds of stuff.
Environment:
 - a secured room at each site with multiple person entry requirements.   your standard server room isn't good enough.
 - video survellaince
 - security guards
 - all normal building expenses
 - offsite backup storage expenses
 - UPS, power drops, power cost, on-site generator
Personnel:
 - at least 10 people and all the associated salaries - not to mention HR, payroll, sales, marketing and all that.  Granted, this could be somewhat offset if the company does other things.  Oh, and add to that the registration authorities and the costs of whatever validity checks they perform.
 - independant auditors - unless you are a government you are going to shell out a minimum US$200k annually for a webtrust certified auditing firm.  As mentioned before, without webtrust you aren't going to get into any root programs.  MS and a couple other accept a couple other audit guidelines, but most don't.  Even these other ones are going to be just as expensive.
 - lawyers
 - insurance

And that's just off the top of my head.  there's a lot more, but most of it is relatively minor in comparison to the above.

Yes - it is possible that through donations, grant money, etc., that CACert could get the finances to do this and get included.  I actually hope they do as well as these folks actually seem to understand what they are doing.  But unless everyone is working for dirt cheap or volunteering it just isn't feasible.  And even if they are, they will still be shelling out a pretty good chunk of cash, even with everything donated and volunteered there are other required commercial expenses.

Running a basic CA that is fine for internal use costs a whole lot less - a true professional setup is very expensive.  Trust me - I am part of a team that runs a couple of them - I know what I'm talking about.  We just dropped almost a million for our 3 PKIs to expand to meet new requirements and as a technology refresh.

CACert is taking advantage of the fact that they are a non-profit and are circumventing some of the normal security practices for the root programs out there.  They have already been added to a number of smaller products (https://wiki.cacert.org/wiki/InclusionStatus), just nothing particularily major like IE or FF, although they are getting closer to FF although they still do not meet mozilla's non-webtrust audit requirements (which is normal for a startup, but CACert has been around for almost a decade now).  I feel that they are also getting around the 'independent' auditor since the auditor is not financially compensated since they are another non-profit ("auditor for cacert") (although their auditor dropped out since it was too much work).  it gets a little fuzzy just how objective that person really was - for the sake of not starting a messy discussion we'll assume he was and I don't have anything factual to state to the contrary on this topic, only personal speculation.

The thing here is that everyone wants everything for free, but very few people are willing to do that.  And then comes the realizatio that free isn't even free.  CAcert asks for a standard donation of AUS$50 (although they will be happy to accept any amount) - that's US$40.  If you just needed one cert and felt obligated to support their cause this is more than a godaddy cert!  Granted you don't have to pay, but if nobody does, then cacert goes bye-bye.

>> in the end, the enduser should decide if he trusts a CA
Yes, but most people aren't qualified to make that decision in a well-informed way, so root programs exist.  Home user trusts MS or Apple so they get their computer with their OS with the standard browser, from that trust they inherit trust to the roots in the respective programs.

>>I as an end user, would be better off with a CA that has a steady track following their own security guidelines known to user
All commercial CA's have their policies publicly available in their Certificate Policy (CP) and some also publish their Certificate Practices Statement (CPS) although some consider this sensitive information.  This is so that the individual user can make an informed decision regarding their policy to establish trust.  A few even publish their audit reports, although most consider this sensitive, however knowing what the standards are give a higher level of confidence when they acheive accreditation based on a well known stand such as webtrust.

>>I still think that M$'s reluctance to approve CAcert into their root cert store is rather their intent to make it all harder for OSS movement.
That's riduculous.  You want extra security and better practices, yet you chastize MS for doing just that with their root program requirements.  Even the open source heroes, Mozilla, have yet to access CACert.  I wish more linux folks could get off their high-penguin and realize there is a lot more to the world than bashing MS, fun as it may be.  Does MS do some things I think they could better at - yes.  Do I think that most OSS is absolute unmanageable and/or useless junk - yes.  Do I think that all OSS is junk - no (OpenSSL, Gimp, OpenOffice, and a very few other things, although at least some distributions are finally getting to be almost bearbable).

Its funny... MS = capitalism at its finest (regardless of quality of product, they rake in the cash).  OSS = communism/socialism - it works if everyone supports it and still manages to give something resembling an effort, but there is no real incentive to produce or provide quality beyond showing off.
0
 
LVL 8

Expert Comment

by:jako
ID: 24947401
Tolomir, doesn't my very first sentence give a sufficient answer to the original question? ("How important is this since it is not critical?")

I do, however, applaud the Paranormastic's efforts and his comments should be nominated for an award of some kind :)

so, add the first (#24744665) as an assisted solution, at least.. maybe? :P
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now