Re: Thawte root change to 2048 bit cert and intermediate CA

["David A. Greenberg" <dgreenbe () IU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> If they're changing their root cert and adding an intermediate cert,
> won't all browsers and clients have to have those certs added to their
> stores for SSL certs signed by them to be trusted? I don't see a 2048
> bit Thawte cert in the latest patched version of Internet Explorer.

This list of current (as of Nov. 2009) root certs is available as a PDF in
http://support.microsoft.com/kb/931125 .  I do see a 2048 bit cert listed in
the PDF.

But most Vista+ and XP with the root certificate updates enabled should get
anything added by Microsoft automatically. 

http://technet.microsoft.com/en-us/library/cc751157.aspx

Assuming Thawte has been working with Microsoft, Vista+ and IE will work
automatically. 

"Root certificates are updated on Windows Vista automatically. When a user
visits a secure Web site (by using HTTPS SSL), reads a secure email
(S/MIME), or downloads an ActiveX control that is signed (code signing) and
encounters a new root certificate, the Windows certificate chain
verification software checks the appropriate Microsoft Update location for
the root certificate. If it finds it, it downloads it to the system. To the
user, the experience is seamless. The user does not see any security dialog
boxes or warnings. The download happens automatically, behind the scenes."

David Greenberg


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.0
Charset: us-ascii

wj8DBQFL/QzWv9fiDogoQQIRAsAwAKDI1v6KL+5Fskg449G+bH+8EdEW6wCgxIzH
+PBJGOZ9b8BAVOoYmHH4FAk=
=9beQ
-----END PGP SIGNATURE-----