Where Did These Certificates Come From ?
Ann
whole slew of certificates on file that appear to identify a
bunch of certificate authorities that don't appear to have any
significance to me. Where did they come from, what do they do
and is it safe to delete them?
--
Ann
David E. Ross
Don't delete them. At least one of them authenticates some add-ons you
might want to install. Others are used to authenticate signatures on
digitally signed E-mail messages.
--
David E. Ross
<http://www.rossde.com/>
I am again filtering and ignoring all newsgroup messages posted
through GoogleGroups via Google's G2/1.0 user agent because of the
amount of spam from that source.
Mike Easter
> Ann wrote:
>> I have a
>> whole slew of certificates on file that appear to identify a
>> bunch of certificate authorities that don't appear to have any
>> significance to me. Where did they come from, what do they do
>> and is it safe to delete them?
>
> Don't delete them. At least one of them authenticates some add-ons you
> might want to install. Others are used to authenticate signatures on
> digitally signed E-mail messages.
>
packing certificates in Tbird that I never use.
I feel like (the bandito) Gold Hat (Alfonso Bedoya in The Treasure of
Sierra Madre)
(paraphrasing) Badges? We don' need no steenkin' badges.
s/badges/CA certificates/
I have never received (nor sent) a CA certificated email. It seems that
it should be an optional extension like pgp/gpg signing or encrypting
rather than embedded into everyone's OE or Tbird.
--
Mike Easter
Marcel Stör
> It seems that it should be an optional extension like pgp/gpg signing or
> encrypting rather than embedded into everyone's OE or Tbird.
Why? What's the harm? If they weren't there we'd see "why can't I
receive signed emails" postings here...
--
Marcel St�r, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-> I kill Google posts: http://twovoyagers.com/improve-usenet.org/
Ann
> On 10/23/10 4:07 PM, Ann wrote:
>> Under Tools - Advanced - Certificates - Authorities I have a
>> whole slew of certificates on file that appear to identify a
>> bunch of certificate authorities that don't appear to have any
>> significance to me. Where did they come from, what do they do
>> and is it safe to delete them?
>
> Don't delete them. At least one of them authenticates some add-ons you
> might want to install. Others are used to authenticate signatures on
> digitally signed E-mail messages.
>
"Authorities Certificates" with Firefox. I doubt I receive many
digitally signed e-mails - particularly ones that seem to
originate from Hungary or The Netherlands, or Japan!
It gives me an uneasy feeling though...I'd like more control over
what certificates get stored in my web/mail programs.
--
Ann
Ann
> On 24.10.10 02:54, Mike Easter wrote:
>> It seems that it should be an optional extension like pgp/gpg
>> signing or
>> encrypting rather than embedded into everyone's OE or Tbird.
>
> Why? What's the harm? If they weren't there we'd see "why can't I
> receive signed emails" postings here...
>
a signed e-mail, temporarily or permanently.
--
Ann
David E. Ross
In any case, when a user "deletes" a certificate, it is not really
deleteed. See
<https://wiki.mozilla.org/CA:UserCertDB#How_Mozilla_Products_Respond_to_User_Changes_of_Root_Certificates>.
Ann
> On 10/24/10 8:20 AM, Ann wrote:
>> David E. Ross wrote:
>>> On 10/23/10 4:07 PM, Ann wrote:
>>>> Under Tools - Advanced - Certificates - Authorities I have a
>>>> whole slew of certificates on file that appear to identify a
>>>> bunch of certificate authorities that don't appear to have any
>>>> significance to me. Where did they come from, what do they do
>>>> and is it safe to delete them?
>>>
>>> Don't delete them. At least one of them authenticates some add-ons you
>>> might want to install. Others are used to authenticate signatures on
>>> digitally signed E-mail messages.
>>>
>> On further investigation, Thunderbird seems to share these
>> "Authorities Certificates" with Firefox. I doubt I receive many
>> digitally signed e-mails - particularly ones that seem to
>> originate from Hungary or The Netherlands, or Japan!
>>
>> It gives me an uneasy feeling though...I'd like more control over
>> what certificates get stored in my web/mail programs.
>>
>
> In any case, when a user "deletes" a certificate, it is not really
> deleteed. See
> <https://wiki.mozilla.org/CA:UserCertDB#How_Mozilla_Products_Respond_to_User_Changes_of_Root_Certificates>.
>
--
Ann
John H Meyers
Responses thus far seem to have assumed
that these are used only for functions (e.g. S/MIME)
relating to message content (e.g. verifying "signed" messages)
However, what "root" certificates are used for verifying
the certificates of all mail servers which connect using TLS or SSL?
If by any chance you do not have those "root" certificates installed,
you will experience some considerable annoyance during those connection attempts.
The total size of an entire typical certificate store is hardly worth
considering deleting them, even if you never use SSL either.
The entire idea reminds me of a "Far Side" cartoon,
in which something flies out of a patient under surgery,
and someone around the operating table says
"What was that dang thing?
Well, it can't have been that important."
I would try to avoid the temptation to delete things
simply because you do not yet know their function,
or even if certain that you've never used it,
in case it might be, say, a fire extinguisher.
--
Ann
> On 10/23/2010 6:07 PM, Ann wrote:
>
>> Under Tools - Advanced - Certificates - Authorities I have a whole slew
>> of certificates on file that appear to identify a bunch of certificate
>> authorities that don't appear to have any significance to me. Where did
>> they come from, what do they do and is it safe to delete them?
>
> Responses thus far seem to have assumed
> that these are used only for functions (e.g. S/MIME)
> relating to message content (e.g. verifying "signed" messages)
>
> However, what "root" certificates are used for verifying
> the certificates of all mail servers which connect using TLS or SSL?
>
> If by any chance you do not have those "root" certificates installed,
> you will experience some considerable annoyance during those connection attempts.
Yes, I see that some are related to my mail servers and that
fiddling with those would lead to problems.
> The total size of an entire typical certificate store is hardly worth
> considering deleting them, even if you never use SSL either.
<Portion snipped>
> I would try to avoid the temptation to delete things
> simply because you do not yet know their function,
> or even if certain that you've never used it,
> in case it might be, say, a fire extinguisher.
It would be nice if Tbird and Firefox kept their certificates
separate however. As it is, it is very difficult with some to
figure out where they came from. If a certificate is from a
website I visited once, moons ago, I'd just as soon be able to
delete it if I wish to.
--
Ann
David E. Ross
Actually, the certificates you find on your PC are usually not from
visiting Web sites via Firefox or receiving messages through
Thunderbird. If the certificates are viewed on the "Authorities" tab,
they were contained in the installation package when Firefox or
Thunderbird were installed or updated.
Certificates on the "People" tab were added as a result of messages or
visiting Web sites. In that case, I believe you had to take explicit
action to add those certificates to your configuration. However, it is
possible that some "People" certificates in Thunderbird -- those dealing
with individuals who are points-of-contact for certificate authorities
-- may have been included in installation packages.
Ann
> Actually, the certificates you find on your PC are usually not from
> visiting Web sites via Firefox or receiving messages through
> Thunderbird. If the certificates are viewed on the "Authorities" tab,
> they were contained in the installation package when Firefox or
> Thunderbird were installed or updated.
>
> Certificates on the "People" tab were added as a result of messages or
> visiting Web sites. In that case, I believe you had to take explicit
> action to add those certificates to your configuration. However, it is
> possible that some "People" certificates in Thunderbird -- those dealing
> with individuals who are points-of-contact for certificate authorities
> -- may have been included in installation packages.
You are probably right. If I feel brave enough I will try
backing up and deleting the cert8.db from both Thunderbird and
Firefox profiles to see what happens, assuming that's where the
certificates are stored.
--
Ann
David E. Ross
I don't know the impact on Thunderbird.
Firefox, however, will not be able to load secure Web pages without a
certificate database. This means no online shopping, no online banking,
no access to a number of Mozilla Web pages, no logging onto Web mail
sites, etc. These all require certificates.
John McWilliams
Could I inquire kindly why deleting certs. is important to you?
--
john mcwilliams
Netscape Champion
Ann
> On 10/29/10 6:03 AM, Ann wrote:
>> David E. Ross wrote:
>>
>>> Actually, the certificates you find on your PC are usually not from
>>> visiting Web sites via Firefox or receiving messages through
>>> Thunderbird. If the certificates are viewed on the "Authorities" tab,
>>> they were contained in the installation package when Firefox or
>>> Thunderbird were installed or updated.
>>>
>>> Certificates on the "People" tab were added as a result of messages or
>>> visiting Web sites. In that case, I believe you had to take explicit
>>> action to add those certificates to your configuration. However, it is
>>> possible that some "People" certificates in Thunderbird -- those dealing
>>> with individuals who are points-of-contact for certificate authorities
>>> -- may have been included in installation packages.
>>
>> You are probably right. If I feel brave enough I will try
>> backing up and deleting the cert8.db from both Thunderbird and
>> Firefox profiles to see what happens, assuming that's where the
>> certificates are stored.
>>
>
> I don't know the impact on Thunderbird.
>
> Firefox, however, will not be able to load secure Web pages without a
> certificate database. This means no online shopping, no online banking,
> no access to a number of Mozilla Web pages, no logging onto Web mail
> sites, etc. These all require certificates.
I intend to take a screen shot of my present certificates and
then compare them with the new set that I presume will be
installed by re-installing Thunderbird and Firefox.
--
Ann
Ann
out what the original set of certificates was, for comparison
purposes. I want to know if "The Hong Kong Post" (among others)
was there as a certificate authority originally.
--
Ann
John H Meyers
> It's not so much the matter of deleting certificates as finding out what
> the original set of certificates was, for comparison purposes. I want
> to know if "The Hong Kong Post" (among others) was there as a
> certificate authority originally.
Mozilla must think that numerous servers in a certain region
have certificates signed only by this agency:
http://www.hongkongpost.gov.hk/product/download/root/index.html
http://www.hongkongpost.gov.hk/about/intro/index.html
Various software providers may range from very strict
to very lax about whose "CA root certificates"
they choose to include with their products,
based on their opinions of how strict and honest the CA is
about verifying identities of those to whom
they issue certificates.
To make an extreme analogy,
if you were operating a check cashing service,
you might place different weights
upon the validity of a passport (from various countries),
a drivers license (from various states),
a company ID card (from various companies), a fishing license, a library card,
a school ID card, etc. as verifying the identity of a holder,
according to how thorough and careful is each issuing "authority."
Since your product (operating system, web browser,
or email program) lets you think that your transactions
(installing software, visiting "secure" web sites,
connecting to mail servers) are "secure" (and proving
the true identity of where you think you've connected)
if their certificates are "signed" by any "authority" at all,
your overall security
is no stronger than the "weakest link" in the entire collection
of "root certificates" shipped with your product (or any update).
If you think that your product includes root certificates
from "authorities" you wouldn't trust yourself,
then you may of course delete "untrusted" root certificates
from the collection shipped with your product,
or you may add others (if you are sure of their own source),
if you feel that a worthy or necessary one has been omitted.
Deleting the entire root certificate database, however
(which sometimes all resides in a single, multi-certificate file)
is something generally unwise for anyone to do.
--
Ann
--
Ann
John H Meyers
> Various software providers may range from very strict
> to very lax about whose "CA root certificates"
> they choose to include with their products...
Here are a few scattered places
where you may find interesting information
about how some organizations "qualify"
the CA's whose "signing" certificates they choose to include,
some user (and vendor) concerns about Mozilla's choices,
and some "how to" info about making personal adjustments:
"Getting your root certificate included in Opera" [web and mail]
http://www.opera.com/docs/ca/
"Mozilla CA Certificate Policy (Version 1.2)"
http://www.mozilla.org/projects/security/certs/policy/
"Does Firefox reset all the root certificates and
root certificate settings whenever an upgrade is installed?"
(with some particular user's concerns about "totalitarian countries")
https://support.mozilla.com/en-US/questions/756728
"CAcert Wiki - InclusionStatus"
(one CA's attempt to get included in various products)
http://wiki.cacert.org/InclusionStatus
"Adding a Certificate Authority to Thunderbird 3"
(by a university which prefers not to pay external CA's
to sign its certificates, just as we ourselves don't)
http://www.cs.washington.edu/lab/services/email/MozillaHowTo/AddCACert.html
A security blog (note the recent entry about "Firesheep" for Firefox,
although this has very little to do with certificates)
http://www.grc.com/securitynow.htm
Bruce Schneier on "Firesheep" (October 27, 2010)
http://www.schneier.com/blog/archives/2010/10/firesheep.html
"Firesheep is a new Firefox plugin that makes it easy for you
to hijack other people's social network connections."
(this may scare people about using WiFi, even after Halloween)
--