www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Official code signing certificate
Date Thu, 21 Mar 2013 12:09:32 GMT
Jürgen Schmidt wrote on Thu, Mar 21, 2013 at 08:53:29 +0100:
> On 3/20/13 9:37 PM, Daniel Shahaf wrote:
> > So... what kind of certificate is that?  How much does it cost, what
> > kind of year to year maintenance it requires, etc.
> 
> for windows it is a
> "Code Signing Certificates for Microsoft Authenticode
> Digitally sign 32-bit or 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi,
> .xpi, and .xap files) and kernel-mode software. Provider for Microsoft
> Windows Logo programs."
> 
> see [1] and [2]
> 
> [1] http://www.symantec.com/verisign/code-signing/microsoft-authenticode
> [2] overview http://www.symantec.com/code-signing
> 
> I found a price by Symantec of 499$/year (reduced prices for 2 or 3
> years) but there was already an opportunity that we can find a sponsor,
> potentially a provider of such certificates.
> 

Can you summarise it for me with the marketing stuff stripped please.
Is it "Any company can pay $500 a year to get a signing certificate
which is trusted-by-default (via trusting Symantec) by all Windows
installations"?

Are there any strings attached here?  Would using such a cert grant
any rights to Symantec/Microsoft/Endusers that ASF doesn't currently
grant?

> Juergen
> 
> > 
> > Jürgen Schmidt wrote on Wed, Mar 20, 2013 at 10:28:23 +0100:
> >> Hi,
> >>
> >> I reused this existing thread to restart the discussion about official
> >> code signing. In case of AOO we are moving towards our next major
> >> release AOO 4.0 which is planned for end if June. With over 40 million
> >> downloads in less than 1 year and most of them for Windows this topic is
> >> still very important for the project to provide the best user experience
> >> and the necessary trust in the product on modern Windows Systems like
> >> Windows 8.
> >>
> >> On http://wiki.apache.org/general/ASFCodeSigning#preview I started to
> >> collect requirements and describe also the existing solution in AOO
> >> today and how it can be used in a more general approach.
> >>
> >> The proposal is only one example but I think a practical one when I take
> >> all the security concerns into account. But of course it probably
> >> requires interaction with the trusted paid staff members.
> >>
> >> I hope we can move this important topic forward and can find a
> >> satisfying solution for all ASF projects who need code signing.
> >>
> >> Juergen
> >>
> >>
> >>
> >>
> 

Mime
View raw message