Sep 27, 2010

What Certificate Authorities You (Are Forced to )Trust and Why

In our real life, any identity issuing agency gets their power from government that people elected. You can't just claim you can/want to issue identity certificates because nobody is going to trust what you issue.

Then why the heck that there are so many "trusted" root CAs in our operating systems that we didn't endorse? In other words we are forced to trust some companies that we didn't elect. How did those CAs get their "trusted" status?

The answer is that it's Microsoft who decides what CAs it wants to add into its Windows trusted list. They have a program called "Microsoft Root Certificate Program". As long as you meet MS' requirements, you can apply and (hopefully) get the same status as big guys as VeriSign, Thawte, etc.

Not surprisingly, you can expect that other main stream OSes/browsers have same kind of programs.

Some may argue that why should Microsoft make the choice on their behalf. Well, if you decided to use Windows, you, intentionally or unintentionally, decide to trust whatever Microsoft put on the system anyway, don't you? We can only trust that Microsoft's verification program will do their job.

Want to know who is in the list being trusted? Please see KB931125