How to get an EV cert for freelancers / small-time hobbyist developers?

Hi everyone:

I’m a freelance developer. Most of my work-for-hire is not signed by me. (The final signing is done by the client using their own corporate digital certificates.)

I myself though have developed several free tools that I let people download off my web site. There’s no charge for that software, there’s no adware in it, no data mining, and no other strings attached. It’s just something that I’ve developed over the years that I want to share with the world. (In other words, I’m not getting any money for doing that.)

I sign those tools with my regular (non-EV) digital certificate that I purchased from Comodo. I chose that CA because of their reasonable pricing. As I said above, I don’t get any income from that free software. (I obviously have to “eat up” the cost of the regular cert, but luckily that wasn’t much and I could afford it.)

So recently it came up to my attention that Windows 10 no longer accepts cross-signed kernel drivers and a publisher needs to obtain an EV cert to pass their certification to have Microsoft sign it themselves. Here’s the video with info:
https://channel9.msdn.com/Events/Windows/Filter-Plugfest28/Driver-Certification-on-Windows-Client-and-Server

OK. I can probably pass the certification and such, but…

I tried to apply for an EV cert at DigiCert and later at Comodo and both CAs told me that they will not issue a certificate for an individual developer and that the minimum I need to have is a business record (i.e. start a business and have a DBA record) in my state.

So my question to freelancers, hobbyist and other developers – how do you get out of this catch-22? How do you get an EV cert if you don’t have a business registered under your name? Can you share the process?

PS. Besides that, I am not mentioning the cost of an EV cert, that is at least $300+ (provided that you can pay $1,000 up front for 3 years.)

This will kill my free software!

I can mention that in Sweden you needed to register an business already to
by the old sha-1 cert so this problem has existed for a long time. (and
registering an business here means deposing 5000 euro (that you can get
back if you unregister))

Bo Branten

Windows 10 does support cross-signed kernel drivers.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, March 7, 2017 1:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get an EV cert for freelancers / small-time hobbyist
developers?

Hi everyone:

I’m a freelance developer. Most of my work-for-hire is not signed by me.
(The final signing is done by the client using their own corporate digital
certificates.)

I myself though have developed several free tools that I let people download
off my web site. There’s no charge for that software, there’s no adware in
it, no data mining, and no other strings attached. It’s just something that
I’ve developed over the years that I want to share with the world. (In other
words, I’m not getting any money for doing that.)

I sign those tools with my regular (non-EV) digital certificate that I
purchased from Comodo. I chose that CA because of their reasonable pricing.
As I said above, I don’t get any income from that free software. (I
obviously have to “eat up” the cost of the regular cert, but luckily that
wasn’t much and I could afford it.)

So recently it came up to my attention that Windows 10 no longer accepts
cross-signed kernel drivers and a publisher needs to obtain an EV cert to
pass their certification to have Microsoft sign it themselves. Here’s the
video with info:
https://channel9.msdn.com/Events/Windows/Filter-Plugfest28/Driver-Certificat
ion-on-Windows-Client-and-Server

OK. I can probably pass the certification and such, but…

I tried to apply for an EV cert at DigiCert and later at Comodo and both CAs
told me that they will not issue a certificate for an individual developer
and that the minimum I need to have is a business record (i.e. start a
business and have a DBA record) in my state.

So my question to freelancers, hobbyist and other developers – how do you
get out of this catch-22? How do you get an EV cert if you don’t have a
business registered under your name? Can you share the process?

PS. Besides that, I am not mentioning the cost of an EV cert, that is at
least $300+ (provided that you can pay $1,000 up front for 3 years.)

This will kill my free software!

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

You don’t. By design.

Yes, this sucks. Yes, everyone is aware of the problem. No, I am not aware of any plans to change it.

I have no idea where in the world you’re located. But, if you’re in most states of the United States unless you’re paid as an employee when you freelance, you ARE technically a business. In most states in the United States, you’re SUPPOSED to get a business license. Just get one. The cost is almost always negligible. Problem solved.

Peter
OSR
@OSRDrivers

xxxxx@gmail.com wrote:

I’m a freelance developer. Most of my work-for-hire is not signed by me. (The final signing is done by the client using their own corporate digital certificates.)

And you are not incorporated? That’s a rather dangerous situation, in
terms of liability. Incorporation only costs about $100 and provides
you with a certain amount of legal protection.

So recently it came up to my attention that Windows 10 no longer accepts cross-signed kernel drivers…

Sort of. If you have a clean (non-upgrade) install of Windows 1607 on a
machine with “secure boot” set in the BIOS, then the package must be
signed by Microsoft. If those three conditions aren’t met, then
cross-signing continues to work.

…and a publisher needs to obtain an EV cert to pass their certification to have Microsoft sign it themselves. …
OK. I can probably pass the certification and such, but…

It’s not really “certification”. To get attestation signing, you have
to create a “sysdev” account. To create a “sysdev” account, you have to
have an EV certificate.

I tried to apply for an EV cert at DigiCert and later at Comodo and both CAs told me that they will not issue a certificate for an individual developer and that the minimum I need to have is a business record (i.e. start a business and have a DBA record) in my state.

True, you need to be a business. Corporations and LLCs are not that
hard to start. However, I believe DigiCert checks your Dun and
Bradstreet record, and that requires a certain amount of history.

So my question to freelancers, hobbyist and other developers – how do you get out of this catch-22? How do you get an EV cert if you don’t have a business registered under your name? Can you share the process?

It’s not a Catch-22. If you want to play in the Windows kernel space in
2017, you need to be incorporated.

PS. Besides that, I am not mentioning the cost of an EV cert, that is at least $300+ (provided that you can pay $1,000 up front for 3 years.)

There used to be more choices, but since Symantec bought VeriSign and
DigiCert bought GlobalSign, they are consolidating power.

This will kill my free software!

Yes. It seems that Microsoft no longer wants the Windows kernel to be
thought of as a hobbyist playground.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Let’s be 100% clear. You don’t need to be incorporated, based on any of the guidelines that I’ve read. You *do* need to be a business. You can be a sole proprietorship. You can be a partnership. But you need to be a business.

Sad, but true.

I think having no provision for hobbyists, software give-away people, and small niche software solutions is a mistake. It would not take much for MSFT to put their weight (and a few dollars) behind some sort of .org that could solve this problem. Sigh.

Peter
OSR
@OSRDrivers

Yes re easy to get a minimal incorporation in most states.

But I really wonder why msft bothers with its “maker” outreach and all its
IoT nonsense when they insist on putting barriers to deployment all over
the place. I suppose for IoT they think you can do it all from usermode,
and that does more or less work, but it is rather bulky compared to many
other free platforms.

Mark Roddy

On Tue, Mar 7, 2017 at 12:38 PM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I’m a freelance developer. Most of my work-for-hire is not signed by me.
> (The final signing is done by the client using their own corporate digital
> certificates.)
>
> And you are not incorporated? That’s a rather dangerous situation, in
> terms of liability. Incorporation only costs about $100 and provides
> you with a certain amount of legal protection.
>
>
> > So recently it came up to my attention that Windows 10 no longer accepts
> cross-signed kernel drivers…
>
> Sort of. If you have a clean (non-upgrade) install of Windows 1607 on a
> machine with “secure boot” set in the BIOS, then the package must be
> signed by Microsoft. If those three conditions aren’t met, then
> cross-signing continues to work.
>
>
> > …and a publisher needs to obtain an EV cert to pass their
> certification to have Microsoft sign it themselves. …
> > OK. I can probably pass the certification and such, but…
>
> It’s not really “certification”. To get attestation signing, you have
> to create a “sysdev” account. To create a “sysdev” account, you have to
> have an EV certificate.
>
>
> > I tried to apply for an EV cert at DigiCert and later at Comodo and both
> CAs told me that they will not issue a certificate for an individual
> developer and that the minimum I need to have is a business record (i.e.
> start a business and have a DBA record) in my state.
>
> True, you need to be a business. Corporations and LLCs are not that
> hard to start. However, I believe DigiCert checks your Dun and
> Bradstreet record, and that requires a certain amount of history.
>
>
> > So my question to freelancers, hobbyist and other developers – how do
> you get out of this catch-22? How do you get an EV cert if you don’t have a
> business registered under your name? Can you share the process?
>
> It’s not a Catch-22. If you want to play in the Windows kernel space in
> 2017, you need to be incorporated.
>
>
> > PS. Besides that, I am not mentioning the cost of an EV cert, that is at
> least $300+ (provided that you can pay $1,000 up front for 3 years.)
>
> There used to be more choices, but since Symantec bought VeriSign and
> DigiCert bought GlobalSign, they are consolidating power.
>
>
> > This will kill my free software!
>
> Yes. It seems that Microsoft no longer wants the Windows kernel to be
> thought of as a hobbyist playground.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Thank you all for your replies!

Yes, I guess I will have to start an LLC under my name.

@TimRoberts: I think you’re right, DigiCert people were asking about the Dun & Bradstreet record during our short email conversation. Just curious though, if I start a new business, it won’t have much of a record anywhere. What would be my options then to qualify for an EV cert? Another catch-22?

The EC standard allows lots of things as a minimum set of requirements. Ultimately it’s up to any given CA what they require in order to give you the Cert.

So, the requirements aren’t uniform. If you get answers from one CA you don’t like, ask another.

OSR
@OSRDrivers

Thanks, Peter. I’m relatively new in the EV certs world. What are my options regarding the choice of CAs that would be accepted by Microsoft for kernel driver signing?

> What are my options regarding the choice of CAs that would be accepted

by Microsoft for kernel driver signing?
Check over here :
https://msdn.microsoft.com/windows/hardware/drivers/dashboard/get-a-code-signing-certificate
It lists : Symantec, Certum, Entrust, GlobalSign and DigiCert

The thing to do, Mr. m.p., is to just get on the phone with these people (in my experience they usually do phone better than email or chat) and explain to them: “Hey, I’m an independent software developer. I freelance. I need to be able to sign Windows drivers, so I need an EV Cert. What is it that you need from me, in order for me to get that EV Cert from you?”

Keep in mind, they don’t really care about or understand MSFT code signing. They sell certificates. It’s their product. They have guidelines. Being able to fit you through those guidelines is in their interest, so they can sell you their product. If you get somebody who doesn’t seem to know much about the ins and outs of the various possible options, ask if there’s somebody else you can talk to who might know more about how folks in your situation can get an EV Cert.

We see posts about this sort of stuff from time to time here on NTDEV. People treat this like it’s some kind of mystery. The guidelines for granting EV Certificates are public and available on the Internet. The CAs are just businesses. Call them and talk with them.

And under no circumstances feel the need to apologize for the fact that your’e not some big corporation. Take the attitude that you’re a proud business person, trying to do business with these turkeys, who need to clue up and accommodate your legitimate need for a EV cert so that you can do your business.

tl;dr Get on the phone and find out what each CA wants you to do in order for you to be able to buy their product… never feel the need to apologize that you’re not a big corporation.

Peter
OSR
@OSRDrivers

CAs may listen to your complaints on the phone but they won’t lower their verification standards, exactly because they mind their business and do what majority of their customers pay for.

Methinks. we should turn this over to Microsoft.
How hard for them would be to add another level of security that is non-nonsense
(not the test-signing which accepts anything that looks like a signature)
but allows users to approve certain software packages to run on their machines?

This ‘approval’ must be easily accessible and doable by non-technical end user (feature, not hack) - but secure enough to stand usual attack vectors.

I don’t know how this can be done, but they Softies are so smart, can then just invent something?

– pa

It always struck me as weird that Microsoft offered a way for individuals to
get access to the Windows source with having a cert, but could not do the
same for signing a driver.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@fastmail.fm
Sent: Thursday, March 09, 2017 1:16 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to get an EV cert for freelancers / small-time
hobbyist developers?

CAs may listen to your complaints on the phone but they won’t lower their
verification standards, exactly because they mind their business and do what
majority of their customers pay for.

Methinks. we should turn this over to Microsoft.
How hard for them would be to add another level of security that is
non-nonsense (not the test-signing which accepts anything that looks like a
signature) but allows users to approve certain software packages to run on
their machines?

This ‘approval’ must be easily accessible and doable by non-technical end
user (feature, not hack) - but secure enough to stand usual attack vectors.

I don’t know how this can be done, but they Softies are so smart, can then
just invent something?

– pa

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Just two examples how this imaginary ‘self-approval’ can work, IMHO. $0.01 each.

1. User reboots into special new mode (like Safe mode or Test-signing).
   Then Windows prompts for the package or driver to install.
   (can require special super-admin password or captcha or whatever).
   The user points it to the package and Windows just installs it.
   Then user reboots to the normal mode and enjoys.

2. User gets a crypto dongle (smartcard) which contains a pre-installed certificate.
   User registers this device with Windows, one time only.
   Since then, Windows on this machine will accept anything signed with this dongle.
   Users can self-sign any software that they choose to trust for their machines only.
   The signing can be done on this or other machine.
   If the dongle gets lost, user can de-register it and buy another one.
   This scenario is suitable for managed machines: by adults for their children, IT staff for their users.

Regards,
– pa

xxxxx@fastmail.fm wrote:

Just two examples how this imaginary ‘self-approval’ can work, IMHO. $0.01 each.

1. User reboots into special new mode (like Safe mode or Test-signing).
   …
2. User gets a crypto dongle (smartcard) which contains a pre-installed certificate.

It’s not clear to me that either of these options are any less invasive
then the solution we currently have, which is booting into the BIOS and
disabling “Secure Boot”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

No, dude, of course they won’t. That’s not the point.

The POINT is that most will work with you to try to figure out the easiest way for you to MEET their standards. I’ve found the cert people very helpful, when they’re not approached with some stupid scenario like:

WHATS WRONG WITH YOU PEOPLE IT’S MY GOD GIVEN RIGHT TO GET A CERTIFICATE FROM YOU I KNOW BECAUSE I READ IT IN THE BIBLE AND WHY DO YOU CHARGE SO MUCH MONEY ANYWAYS ITS NOT WORTH IT YOU PEOPLE ARE NOTHING BUT ROBBERS AND A BUNCH OF DOUCHE NOZZLES BESIDES IT COSTS YOU NOTHING TO ISSUE A CERTIFICATE

or equally bad:

I know I’m just a lowly sleeze ball, Mr. Certificate Authority Guy, Mister, Sir… but, golly, gee, you know, how’s a kid like me supposed to get a certificate so that he can make his college or freeware or community or really cute bot thing work, even though I’m not in college anymore and have a job where I work for myself, and you know, make six figures and change, I mean I’m a good boy and I go to church and pay my bills and I bought my moms a house and voted for the same person you did and everything, so won’t you please please please help me out?

Just talk to them biz to biz and find out what the deal is. I find too many folks go with either of the above strategies, or – worse – don’t bother the get on the phone at all, Google for their answers, peruse the web site, maybe get into chat with a drone, and then give up.

Peter
OSR
@OSRDrivers

> It’s not clear to me that either of these options are any less invasive

then the solution we currently have, which is booting into the BIOS and
disabling “Secure Boot”.

Mr. Roberts, because tampering with BIOS is hack, not feature.
Non-technical users do not always know where is the BIOS or what is secure boot.
If they know, they may be reluctant to disable it. So it better should work even with secure boot enabled.
Suppose you can tell to your machine in a firm voice: Jarvis! Install. This. Now.
(oops. that’s Cortana… whatever).

Windows IoT is a joke. I can’t imagine anybody would invest in developing on closed source platform which they unable to tune for a custom platform with a risk of support being discontinued, like happened with Intel Galileo.

Talk about thread drift… But, with respect, you’re mixing your concepts and as a result talking nonsense.

As a SKU, Windows IoT is definitely not a joke. It’s the replacement for Windows Embedded, which has pretty good traction in the market. So, let’s start with that. “Windows IoT Enterprise” (for example) is just the new name for Windows Embedded Standard, or whatever.

The Galileo? Yes, agreed. Not a useful platform. Sort of a solution in search of a problem. Intel trying to be relevant. Kinda sad, I agree.

In terms of Windows in the actual IoT market: Remember, in addition to small Intel-architecture systems, Windows IoT runs on a group of ARM-based systems, including RPI and various Qualcomm boards. Windows IoT on the RPI doesn’t suck. One could make an argument that the developer environment (Visual Studio, C#/VB, debugger, etc) coupled with the support of common hardware (from RPI out of the box to the Q-Comm systems and BSPs, to other more custom platforms), can result in a reasonably compelling package for building an IoT product.

Just because, in the past, people have had to cobble together some Linux distro to work on some random ARM processor, doesn’t mean it has to be that way in the future.

So, no. Definitely not a joke. I’d like to see MSFT increase investment in this area. The Microsoft toolchain and development environment has turned out to be a major competitive advantage. Who would have thought it would happen?

Peter
OSR
@OSRDrivers