Ok, we have too much "maybe"s on an very open discussion that depends on so many variables... My intention is not to enter on a long discussion on security policies, I dont think the author of the first email is the network manager or the one that will deal with changing security policies, he only wants to get rid of some warnings, and therefore I would recommend him to keep with the most safe option, that is: only trust the CA for what you know it is made for, that is, trusting that specific site. You can do that by adding a permanent exception.
But ok, I also would recomend that you talk with the network admins to clarify on how much trust should be put on the CA, how they want to deal with trust in the internal network, and so on. Maybe they will want to discuss it with us. But for our friend, the user, I would still recommend not messing with trust anchors more than needed. Let someone that knows what is going on there decide what to do. On Mon, Jun 17, 2013 at 1:43 PM, Salz, Rich <rs...@akamai.com> wrote: > **Ø **because from a workstation people may access external websites > too. Like banks**** > > ** ** > > And perhaps they shouldn’t. Have you seen the size of the built-in > browser CA trust lists recently?**** > > ** ** > > And really, which is more likely: an in-house CA leads you astray, or you > bring some external malware from the Internet into the company?**** > > ** ** > > /r$**** > > -- **** > > Principal Security Engineer**** > > Akamai Technology**** > > Cambridge, MA**** > -- -- Cristian Thiago Moecke
