Re: Code Signing Certificates for individuals / open-source

From: Michel Gallant (neutron_at_istar.ca)
Date: 09/21/05 

Date: Wed, 21 Sep 2005 09:18:26 -0400

I think there is a lot of lack of understanding as to exactly what
an issued code-signing certificate is supposed to actually mean.
The ONLY think it means is that:

  - the entity who has used that certificate, issued by a well-known CA
  (VeriSign etc..), has been IDENTIFIED the issuing CA. This facilitates
  distribution of signed code from anywhere.

  - Note that this says absolutely NOTHING about any TRUST in the entity
   who owns that code-signing certificate

  - the technology fact that your software/technology can verify that no tampering
    has occurred has nothing to do with trusting the owner (or user) of the code-signing
    certificate.

There is a lot of misleading information about "trusted signers" which is complete
nonsense. You must NEVER trust any company or dividuals' code which was
signed by a "recognized" code-signing certificate unless you have done DUE DILIGENCE
in making sure that you implicitly trust the company or entity who you believe own
and properly maintain their code-signing certificate!
IMO, companies like VeriSign who charge ~ 200.00+ for a code-signing certificate
are making use of their reputation of trust but that definitely SHOULD not extend to
end users automatically and naively trusting code signed with on of these companies
code-signing certs.

So Microsoft obviously does NOT want to be in the optics business of trying to
enable developer trust by assisting in promotion of CA issuance infrastructure.

BTW, I have purchased a commercial code-signing cert from VeriSign ...
but woudl anyone trust code-signed with MY certificate? just because it was issued
by VeriSign? anyone who does this is a fool and does not understand the real trust
issues :-)
You can see my commercial cert issued via my home page.

Cheers,
 - Mitch Gallant
   MVP Security
   www.jensign.com

(btw, do you REALLY believe and trust that the owner of the jensign web site is associated
 with an MVP owner?? prove it! Also, does Mitch Gallant REALLY own the JavaScience Consulting
certificate used to sign many win32 exe and .net assemblies on that site?? PROVE IT!

"Will" <Will@discussions.microsoft.com> wrote in message news:9B6A0F84-87B3-4C44-9B8C-66713BA6F3AB@microsoft.com...
> Why do code signing authorities refuse to issue certificates to individuals
> or open-source projects? Are they seriously saying that organisations like
> Enron, Worldcom, etc are more trustworthy than the people who contribute to
> GotDotNet? Why do they cost so much?
>
> Code Signing is a great idea because it allows you to identify who has
> written a software product. It encourages developers to take responsibility
> for their software. Certainly, someone who is prepared to put their name and
> address with some registering authority is less likely to distribute
> malicious code and if they do their certificate could be withdrawn or
> black-listed.
>
> Microsoft should promote the idea that you don't install or run anything on
> your PC unless it has a code signed certificate that ties the code to the
> website to the individual. It is then a simple matter of people visiting the
> website linked with the certificate and making a personal judgment as to
> whether to trust the person who wrote the code. For example, a website that
> listed various GotDotNet projects, published articles and membership of
> professional organizations (all with appropriate links) possibly belongs to
> someone you can trust. The more good stuff people publish the more trusted
> they become; a quick search on MSN / Google tells you a lot about someone
> (even me).
>
> What's the alternative? The present situation whereby 99% of open-source
> code is downloaded without any form of identification? Why can't Microsoft
> help individuals get a code signing certificate?
>
> Will Stott
>

Relevant Pages

  • Re: Digitally sign my own DLL?
    ... - in what sense are "you" more "untrusted root authority" than Verisign? ... if you have established a relation with for example a customer, you are more trusted from him that a Verisign, that he has never hear of. ... This is the reason why we use our own CA certificate. ... - it may be strange that MS let you install silently a new CA into to the list of trusted CA but this is logical: if you trust someone enough to execute its code, you can trust its CA. ...
    (microsoft.public.vc.mfc)
  • Re: Whats the difference between using MAKECERT and purchasing a key from CA such as Verisign?
    ... The main difference is that keypair/cert generated by makecert will ... is the same as the Issuer, so to enable typical applications to trust your cert would require ... that the certificate also be explicitly imported into the trusted ROOT CA store. ... > generated from MAKECERT and a key from CA (such as Verisign). ...
    (microsoft.public.dotnet.security)
  • Re: Where do you get Certificates of Authority
    ... MobileMe server presents its certificate to your computer. ... "I'm not sure that I trust you. ... "You can go ask Verisign." ...
    (microsoft.public.mac.office.entourage)
  • Digital sign a driver for XP and Vista
    ... My company has just bought a Class 3 certificate from Verisign to digitally sign some drivers. ... The driver is made up by a .inf file, a .sys file and a .dll file. ... SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ...
    (microsoft.public.development.device.drivers)
  • Re: Proposal for a new PKI model (At least I hope its new)
    ... That is say I trust Paul Rubin's public key. ... two basic reasons for the SSL server domain name certificate: ... certificates have to check with the domain name infrastructure to see ... CA/PKI industry is that public keys be registered with the domain name ...
    (sci.crypt)