Extended Validation for professional individuals

Hi everyone,

here we go again…

…I’m kind of worried to find myself in a situation like in the early days of
“normal” code-signing for Vista x64 when individuals were not able to
obtain the code-signing certificates…

Anyone have any ideas yet if this will work out better this time?

Best regards,
Tobias

There are agreed, public, standards that define what is needed to qualify for an EV Cert. Google is your friend.

Peter
OSR
@OSRDrivers

It is funny that they announced that WDF will be open source at the same they announced the EV requirement.

Let me see if I understand. Signing drivers has been a confusing, complex, and expensive PITA for most of us. We’ve struggled to learn what type of certificates work for some things and not others. And we haven’t even navigated the ridiculous SHA1 impasse. Now we learn code signing certs were a total ineffective practice and EV supersedes them. So in essence, all our hard work signing our drivers in recent years has turned out to be for nothing–the strategy didn’t work!

The new EV strategy requires even more complexity and expense than ever in the history of Windows driver development. And to make matters worse, there will be a significant percentage of legitimate developers trapped and unable to meet the criteria that will be excluded from making drivers. And I am not hearing any guarantees EV will even work. Anyone want to wager on how long until hackers are around it? It’s like antiquated DRM all over again–punish the good guys and the bad guys are unimpeded. Someone needs to mention to Mr. Nadella about this garbage. He seems the type of man who would fix this.

Yes, and they simply replicate the old “standards” for code certs back when
there were only two or three players and they could get away with rates
like verisign charges. And we are back to two or three vendors with
ridiculous prices and “standards” that lock out anyone without a
corporation behind them.

Mark Roddy

On Sun, Mar 22, 2015 at 12:21 PM, wrote:

> There are agreed, public, standards that define what is needed to qualify
> for an EV Cert. Google is your friend.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Well, there is the hardware token requirement that is new, and probably what MS was looking for.

[quote]
Yes, and they simply replicate the old “standards” for code certs back when

Actually, they are much more demanding.

It looks to me like anybody with a legitimate business license, a business address, and a business checking account will qualify. But the process will almost certainly be a PITA.

I don’t really understand the win in this for Microsoft. It just can’t be THAT much harder to get or steal an EV cert. But what do I know.

One thing that IS nice is that apparently the charade of being able to disable certain malware in the field by way of the CRL now appears to be a thing of the past.

Peter
OSR
@OSRDrivers

Yea, the fact that all certificates comes from a single root should make revocation easier.

I just purchased a 5-year certificate and to get that I also paid a lot of
money to go through an extremely painful notarization process.

Now, how could they EVER invalidate that without refunding me and continuing
decent business practices at the same time ?

I don’t really think so.

//Daniel

Well, I think EV certs (normally?) are stored on a smart card and require two-factor authentication - so they should be quite a bit more secure than the non-EV ones which can be copied anywhere and don’t even require a password to be set to access them.

Bruce

On Mar 22, 2015, at 20:49, xxxxx@osr.com wrote:

[quote]
Yes, and they simply replicate the old “standards” for code certs back when

Actually, they are much more demanding.

It looks to me like anybody with a legitimate business license, a business address, and a business checking account will qualify. But the process will almost certainly be a PITA.

I don’t really understand the win in this for Microsoft. It just can’t be THAT much harder to get or steal an EV cert. But what do I know.

One thing that IS nice is that apparently the charade of being able to disable certain malware in the field by way of the CRL now appears to be a thing of the past.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>>Well, I think EV certs (normally?) are stored on a smart card and require two-factor authentication

They are stored on a USB-token as far as next links are correct ( and the way tot go )

http://digcert.com/symantec_codesigning_ev_install-english.html
http://digcert.com/symantec_codesigning_ev_use_kernel-english.html

Christiaan

----- Original Message -----
From: “Bruce Cran”
To: “Windows System Software Devs Interest List”
Sent: Monday, March 23, 2015 6:36 AM
Subject: Re: [ntdev] Extended Validation for professional individuals

Well, I think EV certs (normally?) are stored on a smart card and require two-factor authentication - so they should be quite a bit
more secure than the non-EV ones which can be copied anywhere and don’t even require a password to be set to access them.

Bruce

> On Mar 22, 2015, at 20:49, xxxxx@osr.com wrote:
>
>

[quote]

> Yes, and they simply replicate the old “standards” for code certs back when
>
>
> Actually, they are much more demanding.
>
> It looks to me like anybody with a legitimate business license, a business address, and a business checking account will qualify.
> But the process will almost certainly be a PITA.
>
> I don’t really understand the win in this for Microsoft. It just can’t be THAT much harder to get or steal an EV cert. But what do
> I know.
>
> One thing that IS nice is that apparently the charade of being able to disable certain malware in the field by way of the CRL now
> appears to be a thing of the past.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I am also very concerned about the new signing requirements and will not be
accepting any new commissions for Microsoft driver work until the following
critical information is available:-

  1. Will EV code signing certificates be made available to small businesses
    without a US presence?
  2. What will be the acceptance criteria for Microsoft to sign a driver?
  3. What will be the turnaround time for Microsoft to sign a driver?
  4. What will be the validity period of a Microsoft signed third party
    driver?

For the last 17 years, my company has been writing specialist drivers for
ISM users, not consumers. The drivers and hardware are highly specialised
and do not fit into any standard API. Additionally, a significant amount of
customisation is often required for an individual client; which results in a
relatively high number of driver signing events, given the number of devices
in the field.

I do not believe that EV code signing certificates are currently widely
deployed. Whilst searching for further information, all the available EV
certificate requirements documentation referred to EV SSL certificates. At
this point, I can only assume that the EV code signing certificate
application process will be similar to that for an EV SSL certificate.

I sympathise with Tobias: when the 64 bit code signing requirement was
introduced, it took months to obtain the appropriate certificate. The CA’s
systems were only setup for US companies and kept demanding information
which was both inapplicable and unavailable to a UK Limited company.

Best regards

Christopher L Read CEng MIEE SMIEEE

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@tobias-erichsen.de
Sent: 22 March 2015 17:09
To: Windows System Software Devs Interest List
Subject: [ntdev] Extended Validation for professional individuals

Hi everyone,

here we go again…

…I’m kind of worried to find myself in a situation like in the early days
of
“normal” code-signing for Vista x64 when individuals were not able to
obtain the code-signing certificates…

Anyone have any ideas yet if this will work out better this time?

Best regards,
Tobias


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Oh, until the process is straightened out, getting an EV Code Signing Cert will almost CERTAINLY be a PITA unless you’re a corporation… probably unless you’re a US Corporation. The latest standard for the criteria for qualifying for an EV Cert are here:

https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf

You’ll note that it *does* anticipate non-US entities.

Now, whether Digicert or Symantec/Verisign are ready to handle such requests is another question.

If you currently have a Class 3 Code Signing Cert from Digicert or Symantec/Verisign, I recommend you return to them and apply for a second EV Code Signing Cert.

And please report your experience here.

As a data point, two week ago it took us about 24 hours to get our EV Code Signing Cert from the same CA that issues our non-EV Code Signing Cert, and required nothing more from us other than filling out the usual application and signing a form attesting to something entirely innocuous (I don’t even remember what it was). Oh, and the charge on our credit card clearing, I assume that was the most important criteria.

Peter
OSR
@OSRDrivers

I lump the signing and the WHQL process together in my mind. In general I
think the whole driver testing and validation process was a piece of crap 15
years ago, and has gone downhill ever since.

On the 64-bit signing, the original approach did not do the things it was
claimed to do, but added a layer of complexity and cost to the driver.
There is not a lot of data about the new approach, but I Microsoft is going
to put this additional pain on the community, you would think they could at
least provide some strong justification.

On the WHQL side things have just gotten worse and worse.

  1. 15 years ago the system and device requirements were all on the
    Microsoft website and available to the public. At the time it was pretty
    easy for me as a consultant to suggest to my clients that before they lock
    their hardware down they check over the specifications and try to comply
    with them. For the last roughly 10 years, it has been impossible to get
    firms that are entering the Windows market to do that since the requirement
    to have a cert to get on to the WHQL site where all this data now resides
    has made the firms say “to h*** with Microsoft” when the discussion gets
    around to this. There has been some migration recently that a little of the
    data is out from under, but Microsoft needs to do more.

  2. 15 years ago, the tests were crap, but they were relatively easy to run.
    Take the CD put it on the test system, and select the test, typically about
    an hour later you had the results (less actually since you would fail with a
    worthless error message). Well the tests are still crappy and the error
    messages are still worthless, but now you set up multiple machines, and in
    many instances wait a day or two to get the results. Personally, I
    abandoned using WHQL tests in most cases once the framework came out, yet
    even at WinHEC last week this is a feature of testing. I know of two large
    PC firms that when the test framework came in, it conflicted with their own
    frameworks and significantly reduced the testing they did on a driver.

  3. 15 years ago, Microsoft did nothing to help you write your own driver
    tests. This has progressed a little, but how about some good test sources
    being added to a kit or GitHub? How about either the source, or at least a
    DLL with a well documented API that takes the guts of the common tools for
    PnP testing, Power Testing, and the old DC2 and makes them something we can
    incorporate into our tests?

Microsoft has basically for the last 15 years made things worse, and ignored
the community (the whole test framework produced close to a riot at WinHEC
2003, and never got any support since that). Instead they should be
engaging the community to create a world class testing environment. On the
signing, there are approaches that can be used, but Microsoft would be wiser
both for security as well as to reflect the community’s needs to manage this
themselves,

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

xxxxx@osr.com wrote:

[quote]
Yes, and they simply replicate the old “standards” for code certs back when

Actually, they are much more demanding.

It looks to me like anybody with a legitimate business license, a business address, and a business checking account will qualify. But the process will almost certainly be a PITA.

I don’t really understand the win in this for Microsoft. It just can’t be THAT much harder to get or steal an EV cert. But what do I know.

I’ve been thinking about this requirement, and brainstorming about how I
would have designed it. In our build processes today, we currently have
a step that reaches out to an external source – the signature
timestamping. If I simply had another command line step in my driver
build process that sent my CAT file to some Microsoft portal, which
checked my certificate against a known black list and sent back an
additional certificate to be added to the chain that said “this
certificate was OK on the day it was signed”, I would find that
perfectly acceptable and non-intrusive.

Wouldn’t that achieve the same end result with no additional costs?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Semi cross-post from the WinHEC thread, but I believe it needs to be said:

I don’t understand what everyone is freaking out about. I got a 3-year EV certificate for a few hundred bucks, and the entire process took less than 8 hours. I don’t have a US Corporation.

EV certificates are as broken as standard certificates: the CAs will gladly take your money. I’m sad as a security expert about this, but for those of you with worries that the process will be a PITA, you’re putting too much trust in the “standards”. 8 hours. That’s all it took. I didn’t spend a penny other than on the cert.


Best regards,
Alex Ionescu

> The new EV strategy requires even more complexity and expense than ever in the history of

Windows driver development.

What about Apple? are they also about such things? for phones - yes and even more harder, but the phone market world is different.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

That’s great news!

You got one from Symantec/Verisign or Digicert, right?

Because those are the only two that you can use for Win10 KMCS.

Please verify, because if what you say is correct a lot of people in the community will be very much relieved.

Peter
OSR
@OSRDrivers

>>> > That’s great news!

Globalsign provides the EV code signing certificates ( SHA2 only ) to companies , not to individuals.

I spoke today via phone to someone from Symantec. He stated that the EV certificate is not provided to individuals. On the
contrary , the “old” regular kernel code signing certificate is now given to individual developers as well.

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, March 25, 2015 6:26 PM
Subject: RE:[ntdev] Extended Validation for professional individuals

>


>
> That’s great news!
>
> You got one from Symantec/Verisign or Digicert, right?
>
> Because those are the only two that you can use for Win10 KMCS.
>
> Please verify, because if what you say is correct a lot of people in the community will be very much relieved.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> hours. I don’t have a US Corporation.

[/quote]

What is also imporant: are you a UK corporation? or some other common law country?

Even civil law Western countries can be different, not to say non-Western.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com