Driver Signing for Kernel-Mode Software for x64-based Systems

Yesterday Driver Signing for Kernel-Mode Software for x64-based Systems FAQ
was posted at WHDC site at
http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspx

I already described my position on this questions in several blog comments
(I didn’t understand why ONLY VeriSign certificate could be used for this
purpose currently) and I’m not agree with some statements in answer to
question ‘Why won’t Microsoft accept my certificate from another
Certification Authority (CA)?’:

1. ‘VeriSign has a proven record for not issuing invalid certificates and
   for revoking already issued certificates when appropriate’.
   Really - Isn’t VeriSign issued certificates that looks like Microsoft
   certificates for unknown people some time ago and Microsoft issued special
   ‘kill bit’ updates for theses certificates instead of using CRLs?
2. ‘There is no standard by which Microsoft or others can judge whether
   certification practices at other CAs are equivalent to VeriSign practices’.
   Well, what are the reasons to not use the same rules as in the Microsoft
   Root Certificate Program available at
   http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?

From my point of view people in US offices didn’t understand accounting
requirements in other countries: sometimes it’s just not possible to
directly pay officially abroad (without special license or for other
reasons) and VeriSign isn’t represented well around the world.

Best regards,
Sergey Simakov

Q. <javascript:togglequestion>‘answer14’)> Why doesn’t Microsoft allow digital-signature enforcement
to be turned off by using group policy or by allowing users to choose
whether signing should be enforced on their systems?
<javascript:togglequestion>
A.

The mechanism for disabling the check requires interaction with the user
and machine in a manner that cannot be circumvented easily or
programmatically bypassed. For example, if a group policy registry flag
were provided, malware could simply turn off the enforcement flag. In
answer to questions about allowing automated forms of “opting out”
without signing: Windows does not currently have convenient opt-out
mechanisms that cannot be easily exploited by malware. Microsoft is
considering additional enhancements in order to provide secure opt-out
mechanisms that are not easily exploitable by malware. We are also
exploring mechanisms that will make it easier for test labs to test a
kernel mode component during the development cycle.

A USB key or dongle of some sort could solve this easily if implemented
correctly and wouldn’t be too expensive.

Matt

Sergey Simakov wrote:

>Yesterday Driver Signing for Kernel-Mode Software for x64-based Systems FAQ
>was posted at WHDC site at
>http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspx
>
>I already described my position on this questions in several blog comments
>(I didn’t understand why ONLY VeriSign certificate could be used for this
>purpose currently) and I’m not agree with some statements in answer to
>question ‘Why won’t Microsoft accept my certificate from another
>Certification Authority (CA)?’:
>1) ‘VeriSign has a proven record for not issuing invalid certificates and
>for revoking already issued certificates when appropriate’.
>Really - Isn’t VeriSign issued certificates that looks like Microsoft
>certificates for unknown people some time ago and Microsoft issued special
>‘kill bit’ updates for theses certificates instead of using CRLs?
>2) ‘There is no standard by which Microsoft or others can judge whether
>certification practices at other CAs are equivalent to VeriSign practices’.
>Well, what are the reasons to not use the same rules as in the Microsoft
>Root Certificate Program available at
>http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?
>
>>From my point of view people in US offices didn’t understand accounting
>requirements in other countries: sometimes it’s just not possible to
>directly pay officially abroad (without special license or for other
>reasons) and VeriSign isn’t represented well around the world.
>
>Best regards,
>Sergey Simakov
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
></javascript:togglequestion></javascript:togglequestion>

What is particularly galling about this decision to use Verisign
exclusively (particularly given the rationale quoted) is that Thawte (a
company that does have good international representation) is owned by
Verisign and yet apparently THAT isn’t enough.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sergey Simakov
Sent: Saturday, January 28, 2006 6:04 AM
To: ntdev redirect
Subject: [ntdev] Driver Signing for Kernel-Mode Software for x64-based
Systems

Yesterday Driver Signing for Kernel-Mode Software for x64-based Systems
FAQ
was posted at WHDC site at
http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspx

I already described my position on this questions in several blog
comments
(I didn’t understand why ONLY VeriSign certificate could be used for
this
purpose currently) and I’m not agree with some statements in answer to
question ‘Why won’t Microsoft accept my certificate from another
Certification Authority (CA)?’:

1. ‘VeriSign has a proven record for not issuing invalid certificates
   and
   for revoking already issued certificates when appropriate’.
   Really - Isn’t VeriSign issued certificates that looks like Microsoft
   certificates for unknown people some time ago and Microsoft issued
   special
   ‘kill bit’ updates for theses certificates instead of using CRLs?
2. ‘There is no standard by which Microsoft or others can judge whether
   certification practices at other CAs are equivalent to VeriSign
   practices’.
   Well, what are the reasons to not use the same rules as in the Microsoft

Root Certificate Program available at
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?

From my point of view people in US offices didn’t understand accounting
requirements in other countries: sometimes it’s just not possible to
directly pay officially abroad (without special license or for other
reasons) and VeriSign isn’t represented well around the world.

Best regards,
Sergey Simakov

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

What I find disturbing in the FAQ, is that on things like Verisign, the
authors give out the stock answers that I have been hearing and in some
cases refuting for 4 years. I have questioned the Verisign requirement for
all that time at WinHEC’s and DevCon’s. Each year I hear that WinQual is
looking at alternate certificate models, these have included alternate
providers, Microsoft issuing certificates, and the use of smart card like
the shared source initiative has used for accessing kernel source. One
wonders if any of this is real, since they have not come up with an
alternative in four years!

Note: I have not finished signing up for a Verisign certificate, but I
started the process. It is interesting to note, that for a process that
Verisign has told a Microsoft contact of mine: “You can be an individual
developer”, that every page wants company data and does not allow you to
leave it blank.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Tony Mason” wrote in message news:xxxxx@ntdev…
What is particularly galling about this decision to use Verisign
exclusively (particularly given the rationale quoted) is that Thawte (a
company that does have good international representation) is owned by
Verisign and yet apparently THAT isn’t enough.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sergey Simakov
Sent: Saturday, January 28, 2006 6:04 AM
To: ntdev redirect
Subject: [ntdev] Driver Signing for Kernel-Mode Software for x64-based
Systems

Yesterday Driver Signing for Kernel-Mode Software for x64-based Systems
FAQ
was posted at WHDC site at
http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspx

I already described my position on this questions in several blog
comments
(I didn’t understand why ONLY VeriSign certificate could be used for
this
purpose currently) and I’m not agree with some statements in answer to
question ‘Why won’t Microsoft accept my certificate from another
Certification Authority (CA)?’:
1) ‘VeriSign has a proven record for not issuing invalid certificates
and
for revoking already issued certificates when appropriate’.
Really - Isn’t VeriSign issued certificates that looks like Microsoft
certificates for unknown people some time ago and Microsoft issued
special
‘kill bit’ updates for theses certificates instead of using CRLs?
2) ‘There is no standard by which Microsoft or others can judge whether
certification practices at other CAs are equivalent to VeriSign
practices’.
Well, what are the reasons to not use the same rules as in the Microsoft

Root Certificate Program available at
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?

From my point of view people in US offices didn’t understand accounting
requirements in other countries: sometimes it’s just not possible to
directly pay officially abroad (without special license or for other
reasons) and VeriSign isn’t represented well around the world.

Best regards,
Sergey Simakov

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

From the Microsoft FAQ…

Q. $500 is an incredible cost for me. What are you going to do
to make this program more accessible for developers like me?
A. We are sensitive to the fact that for some people $500 seems
expensive and time-consuming for publishing software for x64-based
systems. Microsoft is proud of the diverse and broad ecosystem that
develops solutions on the Windows platform, and this is something we
continue to foster. Microsoft also believes that a code integrity
infrastructure that does not value and require vendor identity doesn’t
advance accountability to customers. This necessitates the use of a
commercial certificate authority. However, we recognize the need to
work together to address ways that smaller vendors and communities
can prosper in identity-based systems.

Translation:

We know we’re completely f*cking over some people, and we don’t give a sh*t.

Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

> From my point of view people in US offices didn’t understand accounting

requirements in other countries: sometimes it’s just not possible to
directly pay officially abroad (without special license or for other
reasons) and VeriSign isn’t represented well around the world.

Best regards,
Sergey Simakov

Russian companies having no American partners can try to contact the well known
(in Russia) RossBusinessConsulting at www.rbc.ru, whose software division was
once claimed to be the official agent of Verisign in Russia.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

> The mechanism for disabling the check requires interaction with the user

and machine in a manner that cannot be circumvented easily or
programmatically bypassed. For example, if a group policy registry flag

Anyway - for me personally, the limitation on particular classes of boot-load
modules seems to be the most loathsome of all this campaign.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

What bothers me most is the existence of the FAQ itself. It is a clear
statement that they just don’t care what rational arguments we have
about why this isn’t a good implementation of the driver signing
concept. They’re going ahead with it anyway.

The FAQ sounds a lot like a political press conference - dancing around
the issues without actually addressing them.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, January 28, 2006 9:19 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for
x64-based Systems

What I find disturbing in the FAQ, is that on things like Verisign, the
authors give out the stock answers that I have been hearing and in some
cases refuting for 4 years. I have questioned the Verisign requirement
for all that time at WinHEC’s and DevCon’s. Each year I hear that
WinQual is looking at alternate certificate models, these have included
alternate providers, Microsoft issuing certificates, and the use of
smart card like the shared source initiative has used for accessing
kernel source. One wonders if any of this is real, since they have not
come up with an alternative in four years!

Note: I have not finished signing up for a Verisign certificate, but I
started the process. It is interesting to note, that for a process that
Verisign has told a Microsoft contact of mine: “You can be an individual
developer”, that every page wants company data and does not allow you to
leave it blank.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from
the email to reply

“Tony Mason” wrote in message news:xxxxx@ntdev…
What is particularly galling about this decision to use Verisign
exclusively (particularly given the rationale quoted) is that Thawte (a
company that does have good international representation) is owned by
Verisign and yet apparently THAT isn’t enough.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sergey Simakov
Sent: Saturday, January 28, 2006 6:04 AM
To: ntdev redirect
Subject: [ntdev] Driver Signing for Kernel-Mode Software for x64-based
Systems

Yesterday Driver Signing for Kernel-Mode Software for x64-based Systems
FAQ
was posted at WHDC site at
http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspx

I already described my position on this questions in several blog
comments
(I didn’t understand why ONLY VeriSign certificate could be used for
this
purpose currently) and I’m not agree with some statements in answer to
question ‘Why won’t Microsoft accept my certificate from another
Certification Authority (CA)?’:
1) ‘VeriSign has a proven record for not issuing invalid certificates
and
for revoking already issued certificates when appropriate’.
Really - Isn’t VeriSign issued certificates that looks like Microsoft
certificates for unknown people some time ago and Microsoft issued
special
‘kill bit’ updates for theses certificates instead of using CRLs?
2) ‘There is no standard by which Microsoft or others can judge whether
certification practices at other CAs are equivalent to VeriSign
practices’.
Well, what are the reasons to not use the same rules as in the Microsoft

Root Certificate Program available at
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?

From my point of view people in US offices didn’t understand accounting
requirements in other countries: sometimes it’s just not possible to
directly pay officially abroad (without special license or for other
reasons) and VeriSign isn’t represented well around the world.

Best regards,
Sergey Simakov

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: bbrown@mc.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

It’s very easy to bring the prices down. Just let others issue the
certificates…

–

“Mr. GUID” wrote in
message news:xxxxx@ntdev…
> From the Microsoft FAQ…
>>Q. $500 is an incredible cost for me. What are you going to do
>>to make this program more accessible for developers like me?
>>A. We are sensitive to the fact that for some people $500 seems
>>expensive and time-consuming for publishing software for x64-based
>>systems. Microsoft is proud of the diverse and broad ecosystem that
>>develops solutions on the Windows platform, and this is something we
>>continue to foster. Microsoft also believes that a code integrity
>>infrastructure that does not value and require vendor identity doesn’t
>>advance accountability to customers. This necessitates the use of a
>>commercial certificate authority. However, we recognize the need to
>>work together to address ways that smaller vendors and communities
>>can prosper in identity-based systems.
>
> Translation:
>
> We know we’re completely fcking over some people, and we don’t give a
> sht.
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
>

cristalink wrote:

It’s very easy to bring the prices down. Just let others issue the
certificates…

Internet Explorer is perfectly happy to trust my credit card number to a
certificate from any of the top-tier certificate companies. It is just
very hard to understand why driver signing requires anything more secure
than that.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> It’s very easy to bring the prices down. Just let others issue the

certificates…

LOL :
As already suggested before :
“Driver Signing International Inc.” does sign your driver package for 5 USD , delivery back within 24 hours

C.

–

“Mr. GUID” wrote in
> message news:xxxxx@ntdev…
> > From the Microsoft FAQ…
> >>Q. $500 is an incredible cost for me. What are you going to do
> >>to make this program more accessible for developers like me?
> >>A. We are sensitive to the fact that for some people $500 seems
> >>expensive and time-consuming for publishing software for x64-based
> >>systems. Microsoft is proud of the diverse and broad ecosystem that
> >>develops solutions on the Windows platform, and this is something we
> >>continue to foster. Microsoft also believes that a code integrity
> >>infrastructure that does not value and require vendor identity doesn’t
> >>advance accountability to customers. This necessitates the use of a
> >>commercial certificate authority. However, we recognize the need to
> >>work together to address ways that smaller vendors and communities
> >>can prosper in identity-based systems.
> >
> > Translation:
> >
> > We know we’re completely fcking over some people, and we don’t give a
> > sht.
> >
> > _________________________________________________________________
> > Don’t just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

By the way, we’re planning a major article on x64 driver signing in the upcoming issue of The NT Insider. We’ve had good discussions with the folks at Microsoft who are implementing this (and are planning more). While we can’t PROMISE any break-throughs we SHOULD at least be able to provide some answers that have a lower BS-factor than those provided in the FAQ.

The Jan/Feb issue of The NT Insider is planned to go to press next week,

P

One thing to report is that this weekend, I worked my way through most of
the forms to get a Verisign ID. I became disturbed at the number of places
I needed to fill in data about a company when I don’t have one so I did not
complete the process. Instead, I quiered Verisign about how an individual
can get a driver signing ID and what to put in for a company when you do not
have one (blank does not work). They indicate that they answer most
questions in less than 8 hours, so far I have heard nothing.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntdev…
> By the way, we’re planning a major article on x64 driver signing in the
> upcoming issue of The NT Insider. We’ve had good discussions with the
> folks at Microsoft who are implementing this (and are planning more).
> While we can’t PROMISE any break-throughs we SHOULD at least be able to
> provide some answers that have a lower BS-factor than those provided in
> the FAQ.
>
> The Jan/Feb issue of The NT Insider is planned to go to press next week,
>
> P
>

Final update, I got a response back from Verisign. It appears my original
contention that one has to be incorporated is correct. The response to the
question of how an indvidual would get a code signing certificate is below:

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can be
issued to an individual is if the person enrolls themselves as an LLC or
something similar to that. They would have to register the name to their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,
then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back to
this e-mail.

Thank you,

Albert

VeriSign Customer Support

When I went through the application process, I had to get a notarized letter
indicating that I am Kernel Drivers not because the company name is not
registered with the state, because it is. The reason is because the phone
number I gave as the contact number was not associated to the company name.

In the end, it was trivial to get the Digital ID. I would recommend that if
you are consulting and you are NOT registered as at least an LLC, to do so.
It costs about 20 bucks and about 30 minutes of your time. In Colorado you
can even do it online. Otherwise you are asking for trouble if you ever get
a problematic client as well, I have had many clients who would not do work
unless I was incorporated and had plenty of E&O and General Liability
Insurance; something you can’t get unless you are incorporated.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, February 01, 2006 1:38 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for x64-based
Systems

Final update, I got a response back from Verisign. It appears my original
contention that one has to be incorporated is correct. The response to the
question of how an indvidual would get a code signing certificate is below:

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can be
issued to an individual is if the person enrolls themselves as an LLC or
something similar to that. They would have to register the name to their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,
then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back to
this e-mail.

Thank you,

Albert

VeriSign Customer Support

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Pete,

In Massachusetts it is $500/year and changes your tax bracket. I run
as a contractor since I explicitly choose to not deal with the accountants
(another cost) and similar things I found I disliked from being a consultant
years ago.

Bottom line, is Microsoft has ruled that sofware migrants like me, and
folks who want to develop a driver outside of work (assuming they can
legally) are not going to ship on Vista.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Peter Scott” wrote in message
news:xxxxx@ntdev…
>
> When I went through the application process, I had to get a notarized
> letter
> indicating that I am Kernel Drivers not because the company name is not
> registered with the state, because it is. The reason is because the phone
> number I gave as the contact number was not associated to the company
> name.
>
> In the end, it was trivial to get the Digital ID. I would recommend that
> if
> you are consulting and you are NOT registered as at least an LLC, to do
> so.
> It costs about 20 bucks and about 30 minutes of your time. In Colorado you
> can even do it online. Otherwise you are asking for trouble if you ever
> get
> a problematic client as well, I have had many clients who would not do
> work
> unless I was incorporated and had plenty of E&O and General Liability
> Insurance; something you can’t get unless you are incorporated.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: Wednesday, February 01, 2006 1:38 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for x64-based
> Systems
>
> Final update, I got a response back from Verisign. It appears my original
> contention that one has to be incorporated is correct. The response to
> the
> question of how an indvidual would get a code signing certificate is
> below:
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> (#5947-000142-7180\1427180)
>
> Thank you for your inquiry. The only way a Codesigning Digital ID can be
> issued to an individual is if the person enrolls themselves as an LLC or
> something similar to that. They would have to register the name to their
> local city hall so that we can authenticate the “organization” with the
> Secretary of State database. If you do not register as an LLC or other,
> then we would not be able to issue you a Codesigning Digital ID.
>
> If you have any questions or need further assistance, please reply back to
> this e-mail.
>
> Thank you,
>
> Albert
>
> VeriSign Customer Support
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

I neither incorporated, nor formed an LLC, and last year, using a DBA,
Doing Business As, acquired a Class 3 Code-signing certificate from
Verisign. Is this a new change that would prevent me that again?

Gary G. Little
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, February 01, 2006 2:38 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for x64-based
Systems

Final update, I got a response back from Verisign. It appears my original

contention that one has to be incorporated is correct. The response to
the
question of how an indvidual would get a code signing certificate is
below:

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can be
issued to an individual is if the person enrolls themselves as an LLC or
something similar to that. They would have to register the name to their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,
then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back to

this e-mail.

Thank you,

Albert

VeriSign Customer Support

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@seagate.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

At least in the state of Washington, you could register a DBA with the
state when you complete your master business license (cost of $5.00),
and that would satisfy their requirements to be able to authenticate the
“organization” with the sec state.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, February 01, 2006 12:38 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for
x64-based Systems

Final update, I got a response back from Verisign. It appears my
original
contention that one has to be incorporated is correct. The response to
the
question of how an indvidual would get a code signing certificate is
below:

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can
be
issued to an individual is if the person enrolls themselves as an LLC or

something similar to that. They would have to register the name to
their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,

then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back
to
this e-mail.

Thank you,

Albert

VeriSign Customer Support

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@nvidia.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Every time over the last 4 years I have checked, VeriSign has said LLC, not
even a sole proprietor. Bottom line, is as a contractor, I will never ship
a driver of mine on 64-bit Vista.

It is funny that with the rules in Massachusetts, if two guys started a
company in a dorm room (for instance Harvard, call the guys Bill and Paul),
without going though a lot of hassle, they would not be able to ship
software involving kernel code for Vista 64-bit

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Mark Overby” wrote in message news:xxxxx@ntdev…
At least in the state of Washington, you could register a DBA with the
state when you complete your master business license (cost of $5.00),
and that would satisfy their requirements to be able to authenticate the
“organization” with the sec state.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, February 01, 2006 12:38 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Driver Signing for Kernel-Mode Software for
x64-based Systems

Final update, I got a response back from Verisign. It appears my
original
contention that one has to be incorporated is correct. The response to
the
question of how an indvidual would get a code signing certificate is
below:

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can
be
issued to an individual is if the person enrolls themselves as an LLC or

something similar to that. They would have to register the name to
their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,

then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back
to
this e-mail.

Thank you,

Albert

VeriSign Customer Support

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@nvidia.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Final update, I got a response back from Verisign. It appears my original

contention that one has to be incorporated is correct. The response to the
question of how an indvidual would get a code signing certificate is below:

And what about companies and individuals outside the US ? I think Microsoft
will now loose the market in favor of Linux in the EU once more …

Christiaan

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

(#5947-000142-7180\1427180)

Thank you for your inquiry. The only way a Codesigning Digital ID can be
issued to an individual is if the person enrolls themselves as an LLC or
something similar to that. They would have to register the name to their
local city hall so that we can authenticate the “organization” with the
Secretary of State database. If you do not register as an LLC or other,
then we would not be able to issue you a Codesigning Digital ID.

If you have any questions or need further assistance, please reply back to
this e-mail.

Thank you,

Albert

VeriSign Customer Support

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compaqnet.be
To unsubscribe send a blank email to xxxxx@lists.osr.com