scary certificate for www.update.microsoft.com
ben at liddicott.com
Mon Jun 18 20:51:49 BST 2012
Not really. The only thing Verisign would be verifying is that the
certificate was issued to Microsoft. The OS would be using Verisign's
presence in it's configured Trusted Root List to determine that
Microsoft was transitively trustworthy.
*** Since Microsoft control the trust list it is in reality Microsoft
who are vouching for Verisign. ***
So it makes sense to bung their own certificate straight in there and
cut out the middleman.
On 18/06/2012 20:36, Peter Tomlinson wrote:
> That assumes that we trust Microsoft as much as we trust Verisign.
More information about the ukcrypto