On Thu, Apr 02, 2026 at 05:13:55PM -0400, Alan DeKok wrote: > On Apr 2, 2026, at 10:10 AM, Andrei Popov > <[email protected]> wrote: > >> The problem is that, particularly under Windows, it's very easy to > >> get drawn into trusting everything Windows trusts, which means in > >> effect any cert issued by any public CA anywhere. The example I > >> [...] > > > > Correct, this is the type of issue I've been seeing time and again. > > App/service developers use default certificate validation in their > > TLS stack (as they are encouraged to do), which is rooted in the > > system-wide TRP. [...] > > This seems like an opportunity for OS vendors to provide a standard > set of APIs to store application-specific roots, and to do > application-specific validation.
If you mean as the default, then I think that'd be great, but it would be a backwards-incompatible change. > I suspect that many applications have similar requirements. Yes. Basically the WebPKI roots should _never_ be in the _default_ trust anchor set for _any applications other than Web browsers_. But soon you'll realize that you'll want short-hand names for trust anchor sets so it's easy to specify which one to use for apps. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
