Re: Required Root CAs and CTLs
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: Thu, 20 Nov 2003 05:32:35 -0800
No, you cannot add those to a CTL, they must be left in their native form.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Lars Olaussen" <Isolauss@hotmail.com> wrote in message news:%23kko6H1rDHA.1744@TK2MSFTNGP12.phx.gbl... > In the MS Knowledge Base Article 293781 there is a list of 'Trusted Root > Certificates That Are Required By Windows 2000'. > > Would it be possible to just add these root CAs to a Certificate Trust > List made by the own PKI implementeted? Then all the root CAs shipped > with Windows could be removed, and only the own PKI and PKIs signed in > CTLs would be accepted at domain workstations. > > The first goal would be to require all drivers, applications etc to be > digitally signed. Then require all PKIs issuing these certificates to be > approved by the own root CA; never again have to worry about rogue > drivers and applications being signed by untrusted 'Trusted Root > Certificate'. > > > Regards, > Lars Olaussen > Isolauss@hotmail.com > >