> I’d LOVE to see a “we’ll sign your drivers for a few bucks” type
company
> emerge.
How a company like is supposed to get its key to sign code??? Will
VeriSign
or any other signing authority issue a key for a company that makes
money by
signing code to anyone who wishes to pay few dollars , without
assuming any
legal liability for damages that code signed with its key may do???
After
all, it just defeats the very purpose of code signing, in the first
place…
However, if what you had mentioned in your post, indeed, becomes true,
if will
be just a wonderful practical explanation of why the very concept of
driver
signing (at least in its currently existing form) is fundamentally
flawed in
itself…
I think that the practice itself would be okay, as long as everyone
understands that if even 1 single malicious binary is ever signed
with that key, that key could be revoked, with obvious consequences to
everything else signed with that key.
It will be interesting to see what happens when 64 bit operating systems
starts to outnumber 32 bit operating systems on PC’s and become a
worthwhile target for rootkit style malware… I’ve said before that I
think the bad guys will just find a backdoor that doesn’t require
signing if they want to badly enough, but it remains to be seen if this
is the case or not…
> as long as everyone understands that if even 1 single malicious binary is ever signed with
that key, that key could be revoked, with obvious consequences to everything else signed with that key.
As long as someone understands the above, he will immediately understand its implications and imagines the ensuing mess that he is more than likely to deal with, regardless of his role in the scheme- no matter if you happen to be a code writer, a signing authority or an “intermediate” company that signs someone else’s code with its key, the whole thing is just bound to cause you a lot of pain in the neck, in the back
and below . …
> as long as everyone understands that if even 1 single malicious
binary is
> ever signed with
> that key, that key could be revoked, with obvious consequences to
everything
> else signed with that key.
As long as someone understands the above, he will immediately
understand its
implications and imagines the ensuing mess that he is more than
likely to
deal with, regardless of his role in the scheme- no matter if you
happen to be
a code writer, a signing authority or an “intermediate” company that
signs
someone else’s code with its key, the whole thing is just bound to
cause you a
lot of pain in the neck, in the back
and below . …
… which was my point Easier just to purchase a proper key.
a proper key? the infrastructure is not cryptographically sound. ask
any one at microsoft, they’ll go umm ahhh.
just my personal crypto experience.
brucee
On 1/4/10, James Harper wrote: > > > > > as long as everyone understands that if even 1 single malicious > binary is > > > ever signed with > > > that key, that key could be revoked, with obvious consequences to > everything > > > else signed with that key. > > > > As long as someone understands the above, he will immediately > understand its > > implications and imagines the ensuing mess that he is more than > likely to > > deal with, regardless of his role in the scheme- no matter if you > happen to be > > a code writer, a signing authority or an “intermediate” company that > signs > > someone else’s code with its key, the whole thing is just bound to > cause you a > > lot of pain in the neck, in the back > > and below . … > > > > … which was my point Easier just to purchase a proper key. > > James > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
Verisign doesn’t care WHY, but WHO you are. You must be a business via one
of several ways to acquire that, and of course you must be willing to part
with 800 schekels for the class 3 code signing certificate. I’ve paid for
that certificate twice, and the ONLY contact I have with Veri-sign from the
time the certificate is delivered, was for them to tell me they wanted more
schekels when the certificate was about to expire. Not once did Verisign
EVER asked why or for what I intended to use the ceretificate.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, January 03, 2010 11:38 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
I’d LOVE to see a “we’ll sign your drivers for a few bucks” type company
emerge.
How a company like is supposed to get its key to sign code??? Will
VeriSign or any other signing authority issue a key for a company that makes
money by signing code to anyone who wishes to pay few dollars , without
assuming any legal liability for damages that code signed with its key may
do??? After all, it just defeats the very purpose of code signing, in the
first place…
However, if what you had mentioned in your post, indeed, becomes true, if
will be just a wonderful practical explanation of why the very concept of
driver signing (at least in its currently existing form) is fundamentally
flawed in itself…
Driver signing is the most complex and expensive addition to hit drivers since I have been writing them for 20 years. I am unsure why it has to be this way.
In retrospect, I don’t think this situation is any more complicated than
any of the other learning curves we climb to get a driver out into the
public. There is a large amount of boilerplate in the recipe, but once
you get the recipe right, it just works from then on.
Answers to any of these questions might help me understand this situation:
Why are there different classes of certificates for driver developers? For instance, why can’t the VeriSign organization certificate be used for code signing or a GlobalSign code signing certificate be used for winqual?
Partly, this is so certificate vendors can generate profit. The
certificate specification (and there IS a spec) does define a large
number of different “certificate uses”. The usage codes are embedded in
the certificate. This goes with the “perceived value” principle; some
usages are perceived as being more valuable than other usages, so the
capitalist principle is that you should pay more.
There IS some overlap. You can get a single VeriSign certificate that
does code signing AND works for Winqual. Neither VeriSign nor Winqual
are particularly interested in reducing your cost of business.
Why are we absolutely required to do business with VeriSign for logo? What would happen if they went out of business?
This is probably historical. Winqual has had the certificate
requirement for a very very long time, and when they started, there
really were no other alternatives. No one of importance has ever
complained seriously about it, so there has been no incentive to
change. After all, the $99 certificate is a relatively minor cost,
compared to the cost of submitting driver packages. The onesy-twosy
shops are not the important people. The important people are the Dells
and HPs of the world, who submit dozens or hundreds of driver packages
throughout the year.
Why are certificates forced to expire every 1-3 years. Why can’t we just buy one that lasts forever?
Because people (and companies) move. The fundamental purpose for driver
signing is to provide a reliable path for lawyers to find you when your
driver causes damage. VeriSign is not going to promise that you can
still be reached at the address you signed up with 8 years ago.
Why are certificates so expensive? And why is it an annual fee based rather than a single setup fee? How much work does VeriSign do year 2 compared to year 1?
Capitalism. You and I both know that the incremental cost of a
certificate is nearly nil. They do 10 minutes of automated background
checking by looking at your Dun & Bradstreet database record, and that’s
pretty much it.
Why is so much red tape necessary to get a certificate issued? It is impractical to get a certificate for some mobile, internet based consultants who need to meet physical presence tests for somewhere they have barely stayed or won’t be there much longer anyway.
And those are exactly the people who should not be getting certificates,
because they can’t be reached when liability issues arise.
As disgusting and disappointing as it may be, the Windows world of today
is not like the Wild West MS-DOS world of 1987, where virtually all of
the good stuff came from one-off shareware authors doing it for the
fun. Today, what we have is much more like the mainframe world of
1975. PCs are now corporate mission-critical. Rogue kernel code can
cause millions of dollars of damage to a company. If you want to submit
your driver into that world, you need to be willing to submit to a fair
amount of scrutiny. That’s just the way it is.
Why is signing the driver not part of the build tool? I modified mine by hand that everytime I press build it pops out a perfectly release signed driver, even for checked builds. I and my customers agree this has every advantage and no disdavantage.
I’m not sure what you mean. You can certainly add a “signtool” call to
your sources/makefile setup so that it runs when you call “build”.
There don’t happen to be any samples that show this, but that doesn’t
mean it’s “not part of the build tool”.
Why aren’t individuals allowed to write drivers anymore? They are prohibited from obtaining a certificate and thus barred from access to new Windows systems.
Liability. Individuals are inherently less reachable than corporations
when subpeona time rolls around.
Since this forum is riddled with posts about driver signing is it time to open a new forum for it?
I don’t think so. Like most driver questions, once you climb over the
learning curve hump, this becomes a non-issue.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NOT for a hobby developer, who would the main target of such an enterprise… and for whom the idea of “if one piece of software is determined to be malware the signature winds up on the CRL” isn’t such a big deal.
His customers, each having paid zero to a few dollars for the software, come back to him and say “your stuff doesn’t work” – to which he answers “oh, darn! You’re right. Sorry. Disable driver signature enforcement and reboot” or whatever, until he gets his NEXT signature from SigsRus.com
At least for the hobbyist, are there alternatives to the $400/year VeriSign
ID? I’d pay $50/year (the cost of some alternative certificate authorities)
but for the 0.1 drivers per year I write these days, I cannot justify the
high costs of the VeriSign certificate.
There was some talk at earlier driver conferences about alternate
certificate authorities being approved, but I have not heard anything about
whether this went through.
joe
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Monday, January 04, 2010 2:52 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
NOT for a hobby developer, who would the main target of such an
enterprise… and for whom the idea of “if one piece of software is
determined to be malware the signature winds up on the CRL” isn’t such a big
deal.
His customers, each having paid zero to a few dollars for the software, come
back to him and say “your stuff doesn’t work” – to which he answers “oh,
darn! You’re right. Sorry. Disable driver signature enforcement and
reboot” or whatever, until he gets his NEXT signature from SigsRus.com
> OT for a hobby developer, who would the main target of such an enterprise…
I just wonder if the company that signs his code will be forced to assume liability for it …
Let’s face it - the vast majority of malware in existence is produced exactly by developers of the type you have mentioned, and if someone who signs his code is not forced to assume liability for it, the very idea of code signing loses any practical meaning…
His customers, each having paid zero to a few dollars for the software,
Well, I think the vast majority of his “customers” would not mind paying more than few dollars to ensure that his “production” never gets installed on their PCs…
“forced” by whom? Stalin’s been dead a long time, dude…
As far as *I* know, the only thing that could happen to the company signing the driver is that MSFT will revoke the cert. Oh well!
Whatever. But the vast majority of companies that would want this service don’t produce malware. They produce drivers for tiny markets, in their spare time, for the sheer joy of assisting the community of which they are a part. Or something.
The company doing the signing will probably WANT to do some minimal amount of due diligence, just to avoid having to keep getting new certs. But, whatever.
Nobody HAS to install a driver signed by “WeSignUrShitForTenEuros.com” – It’s entirely up to the user. Like I said… whatever.
It’d be a damn-sight better than hobby devs not be able to have people use their stuff AT ALL without disabling driver signing completely.
Look -the very idea behind code signing is to make it possible to trace code originator in case if it turns out to be malicious. Therefore, if you sign a piece of software with your key and then it turns out that this particular piece of software, say, steals credit card numbers, it will be you who gets summoned to court, because it is signed with your key, and, hence, for the time being you are treated as its originator. What I meant in my previous post is whether you will be kept liable for everything that code signed with your key does, or whether you will be allowed just to shrug it off like “I don’t know anything - I sign anything for anyone who pays me few dollars for it”. In the latter case the whole idea of code signing does not seem to be particularly meaningful, don’t you think…
Stalin’s been dead a long time, dude…
Where is Mr. Kyler - I bet he is going to love it…
At least for the hobbyist, are there alternatives to the $400/year VeriSign
ID? I’d pay $50/year (the cost of some alternative certificate authorities)
but for the 0.1 drivers per year I write these days, I cannot justify the
high costs of the VeriSign certificate.
There was some talk at earlier driver conferences about alternate
certificate authorities being approved, but I have not heard anything about
whether this went through.
I just renewed my GlobalSign certificate, $400 for 3 years. It has
worked fine for me for the past two years. There are about 8
certificate authorities with valid cross-certificates available,
although because of mergers and acquisitions, that’s down to 3 different
corporations.
No. I think there’s room for a legitimate middle ground.
Let’s say you and I start a web-based company, “A&P, LLC”, that signs drivers for people at… I don’t know… US$50/driver.
Here’s how we do it: Company X sends us a request to sign their driver package. We:
a) Execute an NDA with Company X, that includes a “hold harmless” clause saying A&P LLC won’t be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build instructions.
c) We examine the driver (handwave, handwave), and if we don’t see anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I don’t expect A&P LLC would be liable for the driver if it didn’t work, failed to meet its specs, or if it did anything malicious. We didn’t MAKE it. We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign anything”…
Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etc…) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I don’t have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the “press F8 thingy”.
Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
“who is the real messiah” and you end up with a different mess every
time you boot. Complain to HP and they say “don’t do that”. Complain
to Verisign and it becomes blame-relay.
This is real, in this room. I have a scanner, a laser printer, and a
photo printer.
Solution? Well use more computers…
brucee
On 1/5/10, xxxxx@yahoo.ca wrote: > [quote] > The onesy-twosy > shops are not the important people. The important people are the Dells > and HPs of the world, who submit dozens or hundreds of driver packages > throughout the year. > [/quote] > > Tim, > > How dare you miss IBM? > > Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etc…) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I don’t have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the “press F8 thingy”. > > Calvin > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
“who is the real messiah” and you end up with a different mess every
time you boot.
HP has become one of the worst. Their hardware is good, but their
driver people should be hung at dawn. When I install a printer, ALL I
WANT is a driver that turns GDI calls into dots on paper. I don’t want
600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
IE toolbars, a cheerful audio-driven help system and a partridge in a
pear tree. I did not buy my computer for the sole purpose of talking to
that printer.
It drives me nuts. That’s why I bought an Epson last time. They aren’t
nearly as bad.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>I don’t expect A&P LLC would be liable for the driver if it didn’t
work, failed to meet its specs, or if it did anything malicious. We
didn’t MAKE it. >We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign
anything”…
To me, that would work nicely.
So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
it’s quality ?
Harish
-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
No. I think there’s room for a legitimate middle ground.
Let’s say you and I start a web-based company, “A&P, LLC”, that signs
drivers for people at… I don’t know… US$50/driver.
Here’s how we do it: Company X sends us a request to sign their driver
package. We:
a) Execute an NDA with Company X, that includes a “hold harmless” clause
saying A&P LLC won’t be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build
instructions.
c) We examine the driver (handwave, handwave), and if we don’t see
anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to
their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I don’t expect A&P LLC would be liable for the driver if it didn’t work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it. We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign
anything”…
c) We examine the driver (handwave, handwave), and if we don’t see
anything we
hate, we build it per the instructions.
Total time invested: 10 minutes.
Service to the community: Priceless.
I don’t expect A&P LLC would be liable for the driver if it didn’t
work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it.
We just signed the package.
If you are going to spend 10 minutes looking at the code you might as
well not bother.
For open source projects you could come up with a workable solution
though:
a. Company X sends us the source code and build instructions
b. We build the binaries, sign them, and sign the source archive and
make it available on our website for anyone to inspect.
That way our liability is to confirm that the binaries we built were
built from the source, and anyone can prove (as much as you trust us and
the certificate system) that the binaries they have were built from the
source that they can obtain and inspect. You’d probably make the source
code open to public inspection for some time (7 days?) before doing the
build and sign to reduce the chance of signing a malicious driver or
something.
Someone like Sourceforge could do it, and have some criteria that the
project have been hosted on sourceforge for some time (3 months?) before
allowing access to the signing process.
It doesn’t work for non-open source stuff of course, but who trusts
closed source code anyway?
The customer goes to the author if their system crashes. A&P signing the
driver in no way abrogates the author from their responsibility for
maintaining their code. The author has to make sure that what he sends to
A&P is a final cut, because every time A&P signs a driver there is a charge
— no “do overs” because the author sent the wrong source files. Unless the
author tells them who signed the driver or the customer has the smarts to
run CertMgr and looks at the signature, the customer really doesn’t need to
know about A&P.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arora, Harish
Sent: Monday, January 04, 2010 5:18 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Why is signing drivers such a mess?
I don’t expect A&P LLC would be liable for the driver if it didn’t
work, failed to meet its specs, or if it did anything malicious. We
didn’t MAKE it. >We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign
anything”…
To me, that would work nicely.
So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
it’s quality ?
Harish
-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?
No. I think there’s room for a legitimate middle ground.
Let’s say you and I start a web-based company, “A&P, LLC”, that signs
drivers for people at… I don’t know… US$50/driver.
Here’s how we do it: Company X sends us a request to sign their driver
package. We:
a) Execute an NDA with Company X, that includes a “hold harmless” clause
saying A&P LLC won’t be responsible for any crap we sign for Company X.
b) Have Company X send us their driver, in source code form, with build
instructions.
c) We examine the driver (handwave, handwave), and if we don’t see
anything we hate, we build it per the instructions.
d) We sign the .SYS file and the package.
e) We return this package to Company X and they can distribute it to
their users.
Total time invested: 10 minutes.
Service to the community: Priceless.
I don’t expect A&P LLC would be liable for the driver if it didn’t work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it. We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign
anything”…
Easier just to purchase a proper key.