
Root Certificate Authority role separation – On Windows and beyond - wsxarcher
https://wsx.io/certificate-authority-scope-separation-on-windows-and-beyond-4f62ec001167
======
jlgaddis
@wsx:

I'm not sure exactly where you think the problem lies.

If you install a root CA certificate, yes, whomever has the private key can
potentially intercept traffic.

If you install a root CA certificate, yes, your machine will trust any
certificates that it signs.

 _That is the whole point._

If you don't trust it, don't install it!

This is all _BY DESIGN_ , so I'm not surprised that Microsoft was so
dismissive.

~~~
wsxarcher
Maybe you didn't understood the whole concept. Read the first mail better.
Maybe the with the android case of VPN is more easy to understand.

If you just install the key of your VPN service, to avoid spoofing of that
VPN, you also expose yourself to another problem, the risk of a stolen private
key. That can be used to sniff you everywhere, VPN, HTTPS, etc...

In the case of Linux, if someone stole my private key of the VPN, my only
problem is the VPN, not the whole architecture. because the attacker can only
use that private key to spoof my VPN service.

About the sentence "If you install a root CA certificate, yes, your machine
will trust any certificates that it signs. ". Not on Linux.

