Windows Tip Sheet

Who Do You Trust?

Don't open your door to just any stranger claiming to be a trusted CA.

• By Don Jones
• 03/30/2005

You’ve probably been to a bar or club in your life, and you were probably asked at one point to show some ID, whereupon you whipped out your driver’s license and were served the drink of your choice. Why? Who’s to say that license is legit? Well, it was issued by your state/province/
whatever, and everyone trusts them to have done a good job of verifying your identity before issuing the license. If you had instead hauled out, say, your Power Rangers Fan Club card, you probably would have been picking gravel out of your teeth shortly afterward. Nobody trusts those guys.

So, I’ll ask again, who do you trust? For example, if I showed up at your company’s door with an ID issued by Saunalahden Serveri and asked to be shown into your data center, would you do it? No? Well, check your Internet Options, because Saunalahden Serveri happens to be a trusted CA by default on most Windows systems, meaning you trust them to do a good job of verifying identities and that you unquestionably accept any digital certificates issued by them.

Since you trust them so much, can you tell me what certificate-issuing policies they follow? What steps they take to verify someone’s identity before issuing a certificate that attests to that identity? No? Then why do you still trust them?

Digital certificates are meant to identify companies and individuals on the Internet. If I use a digital cert to sign some code, or to encrypt a Web page with SSL, you’re supposed to be guaranteed of my identity. One of the whole points of SSL, in fact, is to guarantee that the server you’re connecting to (say, www.microsoft.com) really does belong to the company you think it does (Microsoft Corporation). But if the certificate issuer does a lousy job of verifying identities, then the entire system is meaningless. I’m not suggesting that Saunalahden Serveri does a bad job. But I don’t know. I haven’t had time to check them out. And so I don’t trust them.

In fact, I only trust about six CAs, because they’re ones I’ve had time to check out and decided that their identity-verification procedures are rigorous enough. I’ve gone into my Internet Options control panel, flipped to the Content tab, clicked Publishers, and selected the Trusted Root CAs tab. Then I deleted everyone but those six, because I don’t trust anyone else. You can do the same thing enterprise-wide through a Group Policy object. So, start deciding who you trust, and make sure they’re the only ones that your company’s computers will trust.

Cool Gadget [Click on image for larger view.] The Home Theater Master MX-3000 is the ultimate companion for couch potatoes. Home theater buffs know how much fun it is to shop for new universal remote controls. One new entry I dearly want to own is the Home Theater Master MX-3000 Dynamic Entertainment System. Running a cleverly disguised version of Windows CE (you’d never know it, except that it uses ActiveSync to download screens and infrared codes from your PC), it’s a touch-screen unit with several hard buttons for common tasks. Costs a fortune (MSRP $999.95), but it has a full-color screen and is very, very cool-looking.

More Resources:

• Microsoft explains this trust thing here.
• Read the full instructions for removing untrusted CAs.
• Windows needs to trust a few root CAs to function properly; read the list (and make sure you really do trust these folks).