Re: Required Root CAs and CTLs

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 11/20/03


Date: Thu, 20 Nov 2003 05:32:35 -0800

No, you cannot add those to a CTL, they must be left in their native form.

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Lars Olaussen" <Isolauss@hotmail.com> wrote in message
news:%23kko6H1rDHA.1744@TK2MSFTNGP12.phx.gbl...
> In the MS Knowledge Base Article 293781 there is a list of 'Trusted Root
> Certificates That Are Required By Windows 2000'.
>
> Would it be possible to just add these root CAs to a Certificate Trust
> List made by the own PKI implementeted? Then all the root CAs shipped
> with Windows could be removed, and only the own PKI and PKIs signed in
> CTLs would be accepted at domain workstations.
>
> The first goal would be to require all drivers, applications etc to be
> digitally signed. Then require all PKIs issuing these certificates to be
> approved by the own root CA; never again have to worry about rogue
> drivers and applications being signed by untrusted 'Trusted Root
> Certificate'.
>
>
> Regards,
> Lars Olaussen
> Isolauss@hotmail.com
>
>