Marsh Ray writes: > Of course, Microsoft helpfully provides the government of Tunisia with a > trusted root CA in their products. If you have access to a Windows box, > visit https://www.certification.tn/ . Then look for "Agence Nationale de > Certification Electronique" in your personal trusted root store.
Nice find! The SSL Observatory shows that even if a government doesn't have a root CA in your trust root, they may well have an intermediary signing certficiate that your browser implicitly trusts. Etisalat and CNNIC had these before they got real root certs, and US DHS has one too. There are roughly 1,400 signing CAs total that browsers trust to authenticate web sites. Seems kind of high... > For some reason, MS Windows doesn't list everyone it trusts until they > actually need trusting. Then root certs get installed on the fly. Fun game: how is this possible, given that IE on Vista/7 runs as Low IL? Surely, you need > Low IL to modify the account's trusted cert store, right? > Oh and it's a code signing cert. This is used for things like > running ActiveX controls without prompting. I.e., arbitrary code > execution. Convenient! :) -- http://noncombatant.org/ _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
