Re: Deprecation of SSL Certificates Using SHA-1

[Albert Lunde <atlunde () PANIX COM>]

Related to this is the problem of getting people to trust the new 
intermediate CAs involved (two or three in the case of the InCommon 
certificate service, which is rooted with an existing well known root CA 
"AddTrust External CA Root").

Based on my experiments so far I think I need to trust new certificates 
in the Windows local machine store for servers, for using them in an AD 
domain controller.

But I need to trust them in the Windows user certificate store to avoid 
getting certificate warnings from about web sites with the new 
certificates in my desktop/laptop environment, just having the root 
trusted doesn't seem to be enough.

AD group policy can push out certificate trust, but for the systems that 
aren't joined to a domain (for most students and many staff systems), 
it's hard to find a way to distribute new certificates than can be 
distinguished from phishing or man-in-the-middle attacks.

(I can serve up certificate files as application/x-x509-ca-cert which 
produces some loosely appropriate response when downloading them.)

--
    Albert Lunde  albert-lunde () northwestern edu
                  atlunde () panix com  (address for personal mail)