[95266] in cryptography@c2.net mail archive
Re: New article on root certificate problems with Windows
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jul 19 18:56:43 2007
Date: Thu, 19 Jul 2007 11:43:30 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
To: pgut001@cs.auckland.ac.nz
CC: Paul Hoffman <paul.hoffman@vpnc.org>, cryptography@metzdowd.com
In-Reply-To: <20070720024534.becq2x3qfsskc04g@webmail.cs.auckland.ac.nz>
This is a cryptographically signed message in MIME format.
--------------ms030205040609020906040302
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
pgut001@cs.auckland.ac.nz wrote:
> The executive summary, so I've got something to reply to:
>
> In the default configuration for Windows XP with Service Pack 2 (SP2),
> if a
> user removes one of the trusted root certificates, and the certifier who
> issued that root certificate is trusted by Microsoft, Windows will
> silently
> add the root certificate back into the user's store and use the original
> trust settings.
>
> While I don't agree with this behaviour, I can see why Microsoft would do
> this, and I can't see them changing it at any time in the future. It's the
> same reason why they ignore key usage restrictions and allow (for
> example) an
> encryption-only key to be used for signatures, and a thousand other
> breaches
> of PKI etiquette: There'd be too many user complaints if they didn't.
The real flaw that I see in their design is that they permit
certificates that they installed to be removed. Instead they should
have provided a "disabled" feature so that those who wish to disable
installed certs can do so and thereby ensure that in the future they
won't be restored.
Jeffrey Altman
--------------ms030205040609020906040302
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJWTCC
AwcwggJwoAMCAQICEFd5KHFJEUHRe0PJhTA+3HwwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDUzMTA2MTQ0MVoX
DTA4MDUzMDA2MTQ0MVowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRt
YW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvF3HS+02
BwCXdkA4QiYBXMSCC3Qmom5k9kI4I//iPbt4z9GDiDcG6THjKOlzLjnQcYdZHkQwj8qPIF4J
7BeaBA4alJq37j2jKxV0sXTiX+SszT44cZF3HclDq0J+8a7L/6+gYxkkPhIU+2YGFWS1JRxt
QMeG/tRk8LNmgKOT4tSKLGMrkh7VTSOlbfBZxU0sP388SGcTQ5HCUCBunFUMloFMieIQHztA
4FnxauwuXP/9Yj7A6FnvIJAy9i1oQeJYcTxmV57OzDCOza5r71OwgxPxbjFYDTkZDj+tUKaY
pvDfWGnmWYENt8uoDVgKOFom443BN0XtkRHgrnm5rlKDwQIDAQABozEwLzAfBgNVHREEGDAW
gRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GB
ALKxXvMMUQrYhEAzjynS32j3UAKVBH2cCvizNRV87E+ozrOufSQk9eAsRDxBYpv/WllIy/Hb
RZ4MCo+utK48ngeDxH5peRfinaMO3tCK+FaAKFcMYh4bGZkiW6HSn1pdQKnCTi0aCU55zz4X
gA4aueid3eIz4gAhVKNQgaWbgjNKMIIDBzCCAnCgAwIBAgIQV3kocUkRQdF7Q8mFMD7cfDAN
BgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwHhcNMDcwNTMxMDYxNDQxWhcNMDgwNTMwMDYxNDQxWjBrMQ8wDQYDVQQEEwZBbHRt
YW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMTSmVmZnJleSBFcmljIEFsdG1h
bjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC8XcdL7TYHAJd2QDhCJgFcxIILdCaibmT2Qjgj/+I9u3jP0YOI
NwbpMeMo6XMuOdBxh1keRDCPyo8gXgnsF5oEDhqUmrfuPaMrFXSxdOJf5KzNPjhxkXcdyUOr
Qn7xrsv/r6BjGSQ+EhT7ZgYVZLUlHG1Ax4b+1GTws2aAo5Pi1IosYyuSHtVNI6Vt8FnFTSw/
fzxIZxNDkcJQIG6cVQyWgUyJ4hAfO0DgWfFq7C5c//1iPsDoWe8gkDL2LWhB4lhxPGZXns7M
MI7NrmvvU7CDE/FuMVgNORkOP61Qppim8N9YaeZZgQ23y6gNWAo4WibjjcE3Re2REeCuebmu
UoPBAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAsrFe8wxRCtiEQDOPKdLfaPdQApUEfZwK+LM1FXzs
T6jOs659JCT14CxEPEFim/9aWUjL8dtFngwKj660rjyeB4PEfml5F+Kdow7e0Ir4VoAoVwxi
HhsZmSJbodKfWl1AqcJOLRoJTnnPPheADhq56J3d4jPiACFUo1CBpZuCM0owggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECEFd5KHFJEUHRe0PJhTA+3HwwCQYFKw4DAhoFAKCCAcMw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDcwNzE5MTU0MzMw
WjAjBgkqhkiG9w0BCQQxFgQUzogSJ/FqoCq5QpE6zA6S0QgGQ1wwUgYJKoZIhvcNAQkPMUUw
QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
DQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBXeShxSRFB0XtDyYUwPtx8MIGHBgsqhkiG9w0B
CRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AhBXeShxSRFB0XtDyYUwPtx8MA0GCSqGSIb3DQEBAQUABIIBAGKKVcDt1OlqQMoMUvQID0f9
dY+hXYe+2yeyivCnlPq/0rggKtkm0mDOF2b8aTfm0TlSWCx0JHvulxnhaHyTHbcEIeBRB7Xp
FPsRyrIC0esRGvvySEF0+wsmt8cz4PrDgzoaefPr7tu0hUe+C2cG6x4cBGUSpiqdRpDJVeMI
zzvwQqzLXkEqLJ8+AXlZh/wrbT/Qe7KNr57lsacs5x6FaDIEldNGnPhQi9+zq1A/RWHsQOkF
8pZqs6PtQEavkuzKgNSwkZgaRK7pqdNzx4T337LU5hiCkZFz/RwYNcLeTw6FOQVGMnsFgg9J
PB518g/Etbd9uXuyZEJFz0hOrED2VuMAAAAAAAA=
--------------ms030205040609020906040302--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
