>> MS gets no cut from certifying which CA can issue EV certs for KMCS
There is no “certification” involved. I would be very surprised to discover
that there was any cost associated with MSFT’s choice of CAs to trust.
You believe MS did all that work for pleasure?
I would see why Apple surpassed it by value then
If
there even is any such choice. I was under the impression that “any EV code
signing cert” would work for creating a dashboard account.
Never was the case, still isn’t. There is a list of trusted EV
providers (the ones for which a cross-cert exists). Others will not
work.
Funny enough, Symantec/Digicert were the only ones that worked at
start, then I believe GlobalSign was added, and gradually others.
But I can tell you from several experiences, that either the cert
bodies do not follow the guidelines, or the guidelines for EV
certification are c***.
scheme had been thwarted multiple ways, and the availability of non-EV certs
is very loose. So cross-signing wasn’t a very good way of ensuring “bad
actors” didn’t create malware that end users could unknowingly load. I
guess.
And Attestation helps… how exactly?
I know Mr. Maksimovic has repeatedly said that there’s no validation
involved in getting an EV cert, but I have heard multiple stories — and our
experiences getting EV Certs for OSR — that say otherwise.
What was involved for you in getting the EV cert?
One of my companies got the certificate simply by being listed on
Google Business. That was it… that was ALL the verification that they
did.
I don’t get the annoyance over attestation signing. At OSR, it just adds
one small step to our release process and hasn’t proved even the tiniest bit
inconvenient.
Submitting the driver, having to wait 20 minutes, downloading it and
then packaging it is not a PITA?
It took me <2 minutes to compile 18+1 different variations of my own
drivers (for different customers, architectures, windows versions,
etc…), with signing and packaging. It was all automated, and the
resulting package was ready for deployment.
Now, I have to do half the above process, then submit for attestation,
wait 20 minutes, do it 3 more times, because I always forget something
:D, and then have a file ready for deployment.
I agree the above would be a matter of opinion, whether it is a
nuisance - but so is the process of getting the EV cert. Once we get
the first token, renewals are automatic - just PAY. Nothing else!
In my opinion, the biggest drags to Attenstation signing are:
- Cost that we see no added value to, but is an obvious way to remove
support for older Windows versions.
- It takes 20-30 minutes per driver package (10 to submit, unless you
automated it via JSON API), even though the process can’t do anything
more than verify I signed the .cab file, verify the INF, and sign the
driver/cat. That is an <2second work on my old laptop. It should be an
<2millisecond work on average on Azure cloud.
What do I do when I need to submit 19 builds? Do a LOT of waiting