www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Thu, 21 Mar 2013 16:57:34 GMT
Here is a high-level view of this from Microsoft's perspective.  The part starting with "Obtaining
certification" seems clear enough: <http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx>.
 The code-signing (software-publishing) certificates are X.509 certs extended for software
publishing use.  It is the verification of the publisher, and indication of that level in
the cert, that is specific to it being for code-signing.  Not all CAs offer code-signing certificates.

There are two kinds of certificate that matter for software that installs in Windows.  Symantec
has (1) Code Signing Certificates for Microsoft Authenticode Technology and (2) Extended Validation
Code Signing.  The second is required for software in the Microsoft Store and it also reduces
ceremony when downloading and installing on Windows 8 and in Internet Explorer.  
There are different applications for organizations versus individuals but the fee structure
is the same.
  EV comes with a hardware token and involves more-extensive vetting.  It costs more also.
 There is only one application flavor.

Here's the Symantec Signing Subscriber Agreement:
<https://www.verisign.com/repository/agreements/codesigning/subscriber.html> (a PDF
will download).
See section 8.2.

In any case, I don't think any of us can provide the assurances that are being asked for here.
 It is up to a responsible ASF party to determine whether there are any strings and, if so,
they are acceptable.

 - Dennis

who does not even play a lawyer on cable. 

PS: The Document Foundation has found it acceptable to obtain an Authenticode cert that is
applied to LibreOffice Windows installs.  They must be at least as wary (of Microsoft in particular)
as reflected in this line of questioning.  

PPS: I presume that Symantec counter-signs the public key, not the private key, and the ceremony
involves demonstration that the provider of the public key possesses the private key (and
is presumably the applicant or designated agent).  That would be consistent with the X.509
certificate creation process for other cases on the Windows platform.  The whole point of
this scheme is that no one but the subscriber has the private key and not even the CA knows
it.  (Not sure how hardware tokens come into this with the Extended Validation puppy.)

PPPS: The difference between this and PGP PKI is not only that it isn't X.509 and requires
out-of-band verification by expert users, but that the trust regime is different.  There is
nothing in the PGP WoT for strong organizational confirmation.  (There's no insurance protection
that comes with the PGP key generation, either.)
So, not only does the user have to work harder than is reasonable for end-users, they won't
know what they've learned by verifying such a signature, beyond it having verified.
-----Original Message-----
From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name] 
Sent: Thursday, March 21, 2013 06:09
To: Jürgen Schmidt
Cc: infrastructure-dev@apache.org
Subject: Re: Official code signing certificate

Jürgen Schmidt wrote on Thu, Mar 21, 2013 at 13:32:40 +0100:
[ ... ]

In SSL certificates the issuer checks your identity (much like most
people would ask to see your passport before signing your PGP key).

> Important is that today systems like Windows 8 or Apple with their app
> store require signed applications that can be verified in some automated
> way to check at least the certificate chain until the root certificate
> etc. If it can't verified the user get informed with some dialogs to
> request further approval or acceptance to continue.

[ ... ] 

What are the differences between your proposal and just
using PGP detached signatures, other than the latter being a different
technology and lacking the advantage of a pre-trusted key (Symantec's)
and of integrated-in-the-OS (or required-by-the-app-store) verification.

For example: does releasing software under a certificate Microsoft
pre-trusts (or into an app store Apple moderates) subject ASF to an
indemnification clause towards that company?  Does it grant the company
a license to use our trademarks in advertising?  Does it compel ASF to
offer warranty to end-users?

View raw message