John writes: > This appears to be relatively new. The policies on shipping certificates with the product or making them available via MS updates may be recent. The mechanism of handling them in software has been around for a long time. You can see the certificates in the Internet options in MSIE, and you can add or delete top-level CAs at your discretion. The current versions of MSIE and Windows ship with a truckload of pre-loaded top-level CAs, I'm afraid. > It isn't clear, from either the article or > his note, how much of it is deployed already. I see dozens of CAs defined in MSIE on XP and even on NT, so I'd say it is well deployed. > It is linked, the article says, to Win XP > and not to IE -- there are different procedures, > it says, for IE under Win 2000, ME and earlier > than are proposed (apparently going forward) > for XP. XP has an auto update feature; that may be the difference. They are all in the Internet options dialog for configuration, however, as far as I know. > It strongly implies that, if there are options > to control this, they are (will be?) Windows > options, not (specifically) IE options (although > IE might well be able to access them). Same thing, almost. Calling up the Internet options from the Configuration Panel in Windows brings up the same dialog as calling them up from MSIE or Outlook Exprss. > ... I have no idea whether there is an easily= > accessible option that permits turning "ask > me before installing a cert" on, or what > information that question provides. It hasn't often happened, but I seem to recall being asked if I wanted to install a new top-level certificate. You can examine the certificate before approving it. > And, unless you are in a position to speak > authoritatively for Microsoft,... Not anymore.