2. Open certmgr and import it into 'Untrusted Certificates'.
(This just adds it for the current user's store. Could also import into the computer store by running mmc, adding the Certificates snap-in, and specifying 'Computer account' as the target.)
Hmm, I think it's a very elegant design, probably built to precisely address the problem you asked about. Update server manages whitelist, user/admin manages blacklist, which wins. Nice!
I think the idea the parent is trying to express is that if the Linux distro (and OS X in this situation) comes with the root certificate trusted by default via ca_root_nss/ca-bundle or whatever the packager decides to name it they can disable it before even connecting to the internet, and if the certificate is not trusted by default then they don't need to worry about it magically getting trusted in the future outside of the simple fact of updating the root certificate store blindly without inspecting it.
Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.
For example, using the root discussed in the article:
1. Download the root cert from http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... (or save it from the browser's certificate viewer)
2. Open certmgr and import it into 'Untrusted Certificates'.
(This just adds it for the current user's store. Could also import into the computer store by running mmc, adding the Certificates snap-in, and specifying 'Computer account' as the target.)
3. Restart browser. Go to https://certplusrootcag1-test.opentrust.com/ - it should say the certificate is revoked.
This only works for browsers like IE and Chrome, that use the Windows certificate store. Firefox has its own so would have to be done separately.