I'm just wondering if this is dubious practice considerig that the OS vendor might not have been externally audited for example about how safe the private key is etc.
Is there any references to "rules" about stuff like this?
3
-
Could you re-word that perhaps? Are you saying that browsers should not include particular "OS companies" root CAs? Is this only with reference to Windows and IE?– scuzzy-deltaCommented Jan 26, 2011 at 22:08
-
This should be submitted as a community question, not as a regular question. You may want to delete this one and re-create it as a community question before a mod sees it.– DaisetsuCommented Jan 26, 2011 at 22:41
-
this is not a reference to one specific OS, but I am wondering if there exists some sort of rules or guidelines/general consensus about this. I am not specifically soliciting the personal opinion of users here on SU. I can see that they use it for updates for example, but if they add themselves to browsers, they give the impression to have been audited properly for security.– ufotdsCommented Jan 26, 2011 at 23:35
Add a comment
|
1 Answer
You think they are trustworthy enough for the rest of the operating system, why not the encryption? If they wanted a backdoor, they could easily add one anywhere.
For example, Apple has two CAs in Keychain Access, equally trusted as the other 161 more real CAs like Verisign (AOL is apparently trusted.. didn't know that). I would guess that Apple went through the same process as the others, but I doubt it'll be confirmed publically.
