It seems to me that IBM is taking a purist approach: "You should know who you're talking to". And of course that's hard to argue with from a purist standpoint.
But from a pragmatic standpoint, while that's fine *for professionals who are qualified to make that decision*, there's a reason that the browsers, for example, ship with a set of standard root certs: because end-users aren't qualified to make that decision. I submit that neither are most z/OS systems folks qualified. And that's where it hews to the bone: if I'm right, then this will net *decrease* z/OS security, while costing z/OS folks a lot of time-lose/lose. Why? Because they're going to get hit with "x, y, z, and [a-w] all stopped working" and scramble to re-add those same certificates, doing so *without analysis*. So the net is that they'll wind up exactly where they were, at best; at worst, they'll add a bogus certificate. All with disruption and wasted effort. An alternative approach might be to say "You know, the folks who 'get it' will already be doing the require analysis." If IBM were to provide a list of the provided certificates with a cover letter saying "You should understand this list and delete any that you don't want to trust", then folks could continue to do so, and a few people would say "Oh, yeah, I should be doing this" and start. But the rest would continue as they have been *and would be anyway, after some hassle* -- and without IBM continuing to erode z/OS by making life more difficult. .phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
