I, for one, don't have a compelling case. I think the enterprise has the browser TA store holding exactly Microsoft's (or Apple's or Mozilla's) regular store plus one more enterprise TA. Maybe there could be two extra TAs right after a merger. What Stephen Kent suggested, that the IT department appoint itself as the one and only TAA and then repeat all of Microsoft's changes, may be the way enterprises choose to handle this (either that or outsourcing it like all other IT). but then you don't need multiple TAAs at all. You may want to allow them for high availability and such, but they're all the same.
To get a real requirement for separation of powers or for a hierarchy of authority, we'll need to look for an example where the computer, or more specifically - the application associated with the TA store (TAS?) is somehow controlled by more than one entity. The example where a bank requires you to allow it to manage your browser sounds forced to me. Real banks would like you to connect from anywhere, so they'll buy a certificate from one of the >100 TA vendors that everybody's got in their browser.
Someone suggested an example of a contractor or consultant who works for several companies such as in the enterprise example, so she needs to have each IT department as TAA. I'm not sure I buy this either, but it could be.
Perhaps one of the non-browser examples might have a more compelling case?
On Aug 17, 2007, at 7:11 PM, [EMAIL PROTECTED] wrote:
My preference is that managing different privileges for multiple TAAs administering the same trust anchor store ought to be out of scope, unless someone has a compelling use case with which to argue otherwise.
