|
|
|
|
|
|
by sleevi
2175 days ago
|
|
|
If Apple is the sleeping giant of PKI, Microsoft is the come-back kid. The actual set of CAs trusted by Microsoft has massively shrunk under the leadership of their new Root Program manager, and their transparency greatly improved. https://aka.ms/rootupdates shows a regular cadence, particularly on even months, of removing trust in a large number of CAs. While they still add CAs faster than any other program, they also have strong contractual guarantees on CAs in a way unlike that of Mozilla, Apple, or Google. And Microsoft is notoriously not afraid of using lawyers for noble causes. |
|
|
That link says the even number month changes are CA led.
Now of course you certainly have much better insight than I do into what's behind those CA led changes because I'm just a Relying Party with their nose pressed against the window. Maybe that new Root Program manager is encouraging participants to clean stuff up with an implied threat that if they don't Microsoft will. But as an outsider it still looks a lot like the old Microsoft root programme to me. Also Microsoft's "revoke or else" rule still sits badly with me despite its purported use to prevent people scamming Microsoft's customers. But I guess I'm glad to hear you think they've "greatly improved".