Overview Users Self-signed Admins Cross-signed OpenSSL  Home
Q.:  Why not re-use an existing Trust Store ?
A.:  To silence customer complains, products shall ship with an existing set of certificates. Especially embedded device manufacturers want to avoid any discussions with their users, which trust-anchors to ship. Furthermore, they do not want to add/remove trust anchors manually. Consequently, they come up with the idea to re-use an existing and maintained trust store. One famous project is CA Extract which copies the work of Mozilla. Although the Webpage states that the constraints are missing, I saw several embedded device manufacturers to simply copy that list for Web authentication (like HTTPs and VoIP/SIP over TLS). However, without that constraints, you allow legacy Symantec roots (GeoTrust, Thawte, and VeriSign).

Q.:  Can I trust a manufacturer who cannot manage a trust store ?
A.:  Good question! Lacking knowledge in some special area of Computer Science is not seldom even for educated and experienced people. Understanding Usable Security—to which Trust-Store Management belongs to—is difficult, for sure. Many, too many manufacturers not even know what they do not know. Therefore, they even do not ask anyone before they ship. My rules of thumb: Do not use/buy a product, if you cannot see, inspect (end of validity, full name, and hash), and disable each existing certificate! Report the issue to the product support. If you are talked down, do not waste your time and write a postal letter to the head of the company (and mention this Webpage here)! The matter is difficult but not that difficult.