4
This is a follow-up question to this other question, which is about Google decision to start distrusting a specific Symantec Root CA certificate. Microsoft on another hand has not made (yet) any decision about that Root CA certificate and it is still present on my Windows 7 machine.
Update: Here's a picture of the Root CA certificate from my machine. The Thumbprint here is the same as the MD2 Version Fingerprint (SHA-1) on the Root CA certificate published by Google in their blog post:
74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
Let's say that I delete the certificate from my PC but then later on I browse (using, say, IE v.11) to some website that identifies itself using that certificate.
Can the simple act of browsing to that site cause the certificate to be pushed to my "Trusted Root CA" certs?
No; If you place the certificate in the Windows certificate store in a way indicating you don't trust it that will override the ability for chrome to trust it likewise (Google) can actually choose to specifically not trust it despite the fact you do trust it since Chrome handle certificate retrovcation differently then IE or Edge on Windows – Ramhound – 2015-12-19T15:09:34.117
Thanks @Ramhound for pointing that out. I had considered that as an option (because it was suggested in the answers to my linked question) but I wanted to check what might happen if I outright deleted the certificate instead. – SherlockEinstein – 2015-12-19T15:22:01.310
what would happen depends on if you also delete the root CA which signed the Symantec CA. – Ramhound – 2015-12-19T15:24:17.503
@Ramhound, the Symantec CA in this question is the root CA (it does not have any other certs above itself in the cert chain). So this question is specifically about deleting that root CA. – SherlockEinstein – 2015-12-19T15:29:36.537
Must be a different certificate because I recall questions about a Symantec CA Cert but it wasn't the top root but yes just like Chrome, Windows itself has a list of trusted and untrusted certificates but you can specifically indicate not to trust it if you move it to the machines untrusted list removing it would not result in it not being tristed though – Ramhound – 2015-12-19T15:30:44.730
@Ramhound, thanks for your input, moving it to the untrusted certs list is probably the best option. – SherlockEinstein – 2015-12-19T15:48:45.447