scary certificate for

Ben Liddicott ben at
Mon Jun 18 20:51:49 BST 2012

Not really. The only thing Verisign would be verifying is that the 
certificate was issued to Microsoft. The OS would be using Verisign's 
presence in it's configured Trusted Root List to determine that 
Microsoft was transitively trustworthy.

*** Since Microsoft control the trust list it is in reality Microsoft 
who are vouching for Verisign. ***

So it makes sense to bung their own certificate straight in there and 
cut out the middleman.

On 18/06/2012 20:36, Peter Tomlinson wrote:
> That assumes that we trust Microsoft as much as we trust Verisign.
> Peter

More information about the ukcrypto mailing list