We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Root Certificate Update

jackm1
jackm1 asked
on
Medium Priority
576 Views
Last Modified: 2012-05-07
I noticed  also in the Microsoft updates in the other software. That there is a root certificate update.
I see it is not critical, but once i install it... I cannot remove it. How important is this since it is not critical?  Here is the info below:

Update for Root Certificates [May 2009] (KB931125)
Date last published: 5/26/2009
Download size: 300 KB  
This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. Adding additional root certificates to your computer enables you to use Extended Validation (EV) certificates in Internet Explorer 7, a greater range of security enhanced Web browsing, encrypted e-mail, and security enhanced code delivery. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.
System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
 
Comment
Watch Question

jakosysadmin
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Basically you shouldn't apply the full root update unless you trust them all.  If you trust them, then you should not stop trusting them except in extreme situations.  You can still remove individual root certs manually from Certificates MMC if desired.

It is not critical because the system will still function without them and you are not exposed to any risk by not having them installed.  They make surfing the web more convenient.

>> rant: what they (M$) should do is add CAcert.org to the root cert storage. I miss having a low cost option for .org type domain certs that is accepted by default.

No, they shouldn't.  There are plenty of low cost options, e.g. GoDaddy, for legitimate certs.  CACert.org runs a fine show, don't get me wrong I even recommend them at times when appropriate, but they should not be included into any root program because they do not have proper auditing against the WebTrust standard.  If they can ever get enough public funding or donations to offset this very expensive cost (hundreds of thousands annually), then Microsoft and all the others would likely be happy to accept them as long as they issue under the conditions of their respective programs, which are publicly displayed, reasonable, and fair.  CACert knows this and understands this and actually has getting webtrust certified at some point - we'll see if they are ever successful.  Keep in mind that the cost of the auditing is in addition to an already expensive operation of running a properly secured CA, which if they weren't they wouldn't deserve to get in anyways.  A high end PKI can easily run well over a million dollars annually between CA staff, hardware, power, security monitoring, offsite storage, hot site costs, and so forth, and if the company only does that then the management/HR/etc. salary overhead will probably triple that at best.  </end rant>

Author

Commented:
When you say the cetificate makes surfing the web more convenient. That means when I hit a site that is asking me for a Ca  it won't prompt me... Am I correct?
ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
If it is in that update, yes.
jakosysadmin

Commented:
more rant:
... just that it is my opinion that _it is possible_ to run a CA (like CAcert.org now) with some help from volunteering enthusiasts boasting better security than many of the CAs already in the list and not having to shell out millions.

in the end, the enduser should decide if he trusts a CA. WebTrust certified partners rent some of their reputation from CICA.ca for a lot of dough, nothing more. Should they pass the certification and from there on in relax their stance, I as an end user, would be better off with a CA that has a steady track following their own security guidelines known to user. I still think that M$'s reluctance to approve CAcert into their root cert store is rather their intent to make it all harder for OSS movement.
Cryptographic Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
jakosysadmin

Commented:
Tolomir, doesn't my very first sentence give a sufficient answer to the original question? ("How important is this since it is not critical?")

I do, however, applaud the Paranormastic's efforts and his comments should be nominated for an award of some kind :)

so, add the first (#24744665) as an assisted solution, at least.. maybe? :P
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.