Glyph

> I think that it's not as simple on Windows as it is on Linux or OSX (although @tiran might have a better idea). I think that Windows doesn't ship...

There's some technical documentation here: https://technet.microsoft.com/en-us/library/bb457160.aspx

And some more explanation here: http://unmitigatedrisk.com/?p=259

Frustratingly, I can't find an API that just tells it to grab the certificate store; it seems that verifying a certificate chain that you don't have the root to is...

After hours of scouring MSDN, I give up. Hopefully someone else can answer this question: https://stackoverflow.com/questions/34732586/is-there-an-api-to-pre-retrieve-the-list-of-trusted-root-certificates-on-windows

I think talking about configurability is maybe a red herring. It's useful – necessary even – in certain circumstances, but users who know they need that can usually figure it...

> The flip side is that you have trust stores like Debian which trusted CACert for a long time, and still trusts SPI even though neither of those have gone...

> SPI isn't run by Debian, it's a third party organization similar to that of the Software Freedom Conservancy that Debian happens to be a member of. This is a...

> I'm pretty sure that Apple and Microsoft have both passed a WebTrust audit for their root CAs. I checked and this is definitely true for Apple and seems to...

To sum up the argument thus far, I think it's: ``` it's the OS's job to update certificates debian does a bad job ``` I don't think these statements really...