1. What actually happened or you saw:
There are 1000s of trusted vendors installed by default. In most cases, we want to trust just a few that we are using on our systems. The most time consuming part of Comodo install for me is to clear out Trusted Vendor list based on companies whose products I use.
2. What you wanted to happen or see:
Overall goal: allow us to configure the system with minimal certificates first. Later, as we install or run more software, we can add only relevant certificates.
Suggested features to achieve this:
Vendor list to be better organized, based on company. For example, there are a lot of vendors that use “Intel” substring as part of their name but many of them are not Intel company itself. It would be good to have Company name folders in the tree of Vendors and then +/- symbol to see individual certificates for each company. This way, we should be able to enable/disable all certificates for a company without having to figure them out individually and by mistake enabling other certificates.
Instead of Deleting Trusted Vendors, it would be good to Disable them so we can later come back and enable relevant ones. This of course would have to come with Hide/Show option for Disabled certificates.
When installing a new software, Comodo could check that it uses certificates from disabled Trusted Vendors and offer to enable those. Similarly, during HIPS alerts, Comodo could check to see if file being alerted on is signed with a certificate that is from a disabled vendor, and if so, provide an option to add either the vendor certificate or all certificates from the vendor company to be trusted.
(Nice to have - less defined) It would be good to have some levels of trust and relevance indications. For example, Microsoft and Intel vendors should be at highest level. But say a vendor for which the PC has no software installed and/or from another region and/or that has been registered for less than a year or two may not be as trusted. Ability to sort by such relevance would let one more easily locate Vendors they want to enable/disable.
3. Why you think it is desirable:
Our computers will be much more secure when we trust less certificates. What does it take for a rogue certificate (with an important-sounding name) to be added to the list? What does it take for some certificate to get hijacked and get malware signed by one? The more certificates we trust, the greater a chance some malware will be signed by one.
I imagine with 1000s of certificates it’s hard for Comodo to do a great due diligence on each one and it increases the risks that some trusted certificate gets misused against us.