www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@gmail.com>
Subject Re: Official code signing certificate
Date Thu, 21 Mar 2013 12:32:40 GMT
On 3/21/13 1:09 PM, Daniel Shahaf wrote:
> Jürgen Schmidt wrote on Thu, Mar 21, 2013 at 08:53:29 +0100:
>> On 3/20/13 9:37 PM, Daniel Shahaf wrote:
>>> So... what kind of certificate is that?  How much does it cost, what
>>> kind of year to year maintenance it requires, etc.
>>
>> for windows it is a
>> "Code Signing Certificates for Microsoft Authenticode
>> Digitally sign 32-bit or 64-bit user-mode (.exe, .cab, .dll, .ocx, .msi,
>> .xpi, and .xap files) and kernel-mode software. Provider for Microsoft
>> Windows Logo programs."
>>
>> see [1] and [2]
>>
>> [1] http://www.symantec.com/verisign/code-signing/microsoft-authenticode
>> [2] overview http://www.symantec.com/code-signing
>>
>> I found a price by Symantec of 499$/year (reduced prices for 2 or 3
>> years) but there was already an opportunity that we can find a sponsor,
>> potentially a provider of such certificates.
>>
> 
> Can you summarise it for me with the marketing stuff stripped please.
> Is it "Any company can pay $500 a year to get a signing certificate
> which is trusted-by-default (via trusting Symantec) by all Windows
> installations"?

well money sells and everybody can buy a certificate for whatever
reason. I think it is comparable to any other certificates like for
domains etc. I don't know but I think the provider of such certificates
do some verification before you get or are allowed to buy a certificate.
But I don't know for sure.

Important is that today systems like Windows 8 or Apple with their app
store require signed applications that can be verified in some automated
way to check at least the certificate chain until the root certificate
etc. If it can't verified the user get informed with some dialogs to
request further approval or acceptance to continue.

> 
> Are there any strings attached here?  Would using such a cert grant
> any rights to Symantec/Microsoft/Endusers that ASF doesn't currently
> grant?

I don't understand. If Symantec for example would decide to sponsor such
a certificate the ASF would get a certificate with all the related data
to ASF. Means as publisher the user would see the ASF somewhere in the
verification process if necessary.

Juergen

> 
>> Juergen
>>
>>>
>>> Jürgen Schmidt wrote on Wed, Mar 20, 2013 at 10:28:23 +0100:
>>>> Hi,
>>>>
>>>> I reused this existing thread to restart the discussion about official
>>>> code signing. In case of AOO we are moving towards our next major
>>>> release AOO 4.0 which is planned for end if June. With over 40 million
>>>> downloads in less than 1 year and most of them for Windows this topic is
>>>> still very important for the project to provide the best user experience
>>>> and the necessary trust in the product on modern Windows Systems like
>>>> Windows 8.
>>>>
>>>> On http://wiki.apache.org/general/ASFCodeSigning#preview I started to
>>>> collect requirements and describe also the existing solution in AOO
>>>> today and how it can be used in a more general approach.
>>>>
>>>> The proposal is only one example but I think a practical one when I take
>>>> all the security concerns into account. But of course it probably
>>>> requires interaction with the trusted paid staff members.
>>>>
>>>> I hope we can move this important topic forward and can find a
>>>> satisfying solution for all ASF projects who need code signing.
>>>>
>>>> Juergen
>>>>
>>>>
>>>>
>>>>
>>


Mime
View raw message