FYI - VeriSign has code signing certificates on sale

NTDEV
21

> Because if I steal your certificate and use it to sign my malware,

I’ve only got a finite time to use it. I’m not confident that all
computers actually do CRL lookups so just revoking the
certificate isn’t necessarily going to work.

Surely there must be another reason because that seems a weak argument. A stolen cert good for just 3 hours, let alone 3 years is enough for malware to do all they need: sign with it, time stamp it, ship it.

And of course this “stolen cert” reasoning also assumes they were able to steal the password too otherwise it would be a no go even with no expiry.

22

Call me a cynic, but I think that they do it to make money. Like all things
‘security,’ there’s a lot of hysteria and bullshit. Such is life.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Saturday, September 18, 2010 11:01 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] FYI - VeriSign has code signing certificates on sale

Because if I steal your certificate and use it to sign my malware,
I’ve only got a finite time to use it. I’m not confident that all
computers actually do CRL lookups so just revoking the certificate
isn’t necessarily going to work.

Surely there must be another reason because that seems a weak argument. A
stolen cert good for just 3 hours, let alone 3 years is enough for malware
to do all they need: sign with it, time stamp it, ship it.

And of course this “stolen cert” reasoning also assumes they were able to
steal the password too otherwise it would be a no go even with no expiry.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

23

The reason for the expiration date is to assure the revocation list will not
grow forever. The CRL only needs to contain unexpired certificates.

Jan

Surely there must be another reason because that seems a weak argument.
A stolen cert good for just 3 hours, let alone 3 years is enough for
malware to
do all they need: sign with it, time stamp it, ship it.

24

> The CRL only needs to contain unexpired certificates.

If true, that sounds like a huge security hole in the existing model. It means if a malware producer signs & timestamps their ware, then simply waits to release until the day after the cert they used expires, then there is no way to deal with it. Astonishing oversight.

25

That’s an interesting point, but it depends on your definition of
expiration. For time stamped signatures, the expiration is treated as the
expiration of the timestamp validation chain, not the entity validation
chain. This means timestamped signatures have to potentially support a much
larger CRL size for verification. With a simple digital signature, you can’t
determine if it was signed before or after the entity certificate
expiration, so you have to treat the entity certificate expiration as the
end of verifiability, and you can also discard CRL entries for expired
certificates.

The expiration date does protect the certificate owner. If it’s stolen,
there is a definite time window of when signatures can be done. If the
certificate is revoked on a time-stamped signature, the CA should be
checking the CRL at the moment of timestamping, and rejecting attempts to
timestamp revoked or expired certificates. The entity certificate expiration
still helps managed the CRL size, as at the time of timestamping, the CRL
check only has to contain revoked certificates up to their expiration. After
their expiration, all certificates are rejected for timestamping.

Apple code signing I believe use much shorter expiration times on their
developer certificates, which does a better job of containing the damage
from a stolen certificates. Code signing certificates also come essentially
for free, if you pay the $99/year development program fee.

As far a price goes, keep in mind the price VeriSign charges has to cover
costs for maintaining the timestamp server and the CRL database. This is an
ongoing operational cost, not a one time cost of a few milliseconds of cpu
time. Doesn’t Visa charge a merchant like $0.30 (and a few percent of the
transaction value) for every credit card transaction processed? Let’s see,
if each transaction to the timestamp server cost $0.30, and I have say 3
signatures in my product (kernel code, .cat, install package), and my build
system runs every day, that’s like $300 in timestamp server transactions
charges per year. Based on typical transaction fees, code signing
certificates may not be priced all that outrageously. We might be worse off
if VeriSign gives away the code signing certificate for free, but charges us
$0.30 each time we use the timestamping server. I suppose if we were charged
per timestamp transaction, we would be very motivated to only use
self-signed test certificates during builds. Effectively, buying a code
signing certificate is also buying a bucket of timestamp server transactions
bundled into the price. This is a difference than an SSL certificate, which
does not have an ongoing stream of timestamp requests.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-425336-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, September 18, 2010 9:59 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] FYI - VeriSign has code signing certificates on sale

> The CRL only needs to contain unexpired certificates.

If true, that sounds like a huge security hole in the existing model. It
means if
a malware producer signs & timestamps their ware, then simply waits to
release until the day after the cert they used expires, then there is no
way to
deal with it. Astonishing oversight.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

26

> This means timestamped signatures have to potentially

support a much larger CRL size for verification.

Aha, so in other words timestamping blows away the theory that expirations keeps the CRL from being too big.

The expiration date does protect the certificate owner. If it’s
stolen, there is a definite time window of when signatures can
be done.

Chances are if an interested thief gains access to a system used to sign drivers, there’s going to be a valid cert on it. So it won’t be particularly relevant if it expires in 1 year or 100 years.

Apple code signing I believe use much shorter expiration times on
their developer certificates, which does a better job of containing
the damage from a stolen certificates

Depending on the random artifact of expiration should not have anything to do with ones protection policy. If one wishes to limit damage control, they are free to sign with 1 cert per product, or even 1 cert per release. And proper password policy makes even a stolen cert totally bullet proof.

27

Surely you’re joking. Imagine how many centers per day it would cost to put one of these on EC2…

One can devise a plethora of scenarios under which we would be “worse off”, ranging from mundane to ridiculous. That doesn’t make the cost of the certificate any more “reasonable”

Peter
OSR

28

No. Most malware (the stuff that would benefit from code signing at least) is only good for a very short amount of time. Basically long enough for the anti-malware crowd to learn about it and add the signature to the database. Hours. Once that happens they have to rebuild and re-sign it to avoid detection.

Of course the fact that it’s using a stolen cert is going to be a dead giveaway to any decent anti-malware product…

Sent from my iPhone

On 19/09/2010, at 12:59, xxxxx@gmail.com wrote:

> Because if I steal your certificate and use it to sign my malware,
> I’ve only got a finite time to use it. I’m not confident that all
> computers actually do CRL lookups so just revoking the
> certificate isn’t necessarily going to work.

Surely there must be another reason because that seems a weak argument. A stolen cert good for just 3 hours, let alone 3 years is enough for malware to do all they need: sign with it, time stamp it, ship it.

And of course this “stolen cert” reasoning also assumes they were able to steal the password too otherwise it would be a no go even with no expiry.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

29

>amount of time. Basically long enough for the anti-malware crowd to learn about it and add the

signature to the database

Some AV products like Kaspersky just blindly trust any digitally signed software, at least with the default settings.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

30

Hagen Patzke wrote:

Any authoritative answer? Doron?

Tim Roberts wrote:

I think you are imagining problems where none exist. […]

Think about it. […]

Tim, as far as I know you are not a lawyer or official spokesman for
VeriSign/Microsoft. Sorry, but I asked for an *authoritative answer*.

Remember Unisys and GIF/LZH? What we think might not matter much as soon
as an American company with a legal department is involved.

As stated:

  • You sign up with WinQual for e.g. WER or your WLK/DTM submissions by
    code-signing “winqual.exe” (downloadable from WinQual).
  • You *can* use the VeriSign $99 Class 3 CS certificate to code-sign
    anything else, too: drivers, .NET assemblies, etc.
  • My question was if it is *legal* to do this. And this question is
    still open.

(You can use a crowbar to open other people’s homes. This, too, is not
legal if you are not specially authorized.)

31

Quite true. In fact, there really is no answer, other than what the person
in the robe standing in front of you says at any particular moment in time.

These are all good reasons, in my opinion, to avoid conversations like this
one here.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hagen Patzke
Sent: Sunday, September 19, 2010 5:22 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] FYI - VeriSign has code signing certificates on sale

Hagen Patzke wrote:

Any authoritative answer? Doron?

Tim Roberts wrote:

I think you are imagining problems where none exist. […]

Think about it. […]

Tim, as far as I know you are not a lawyer or official spokesman for
VeriSign/Microsoft. Sorry, but I asked for an *authoritative answer*.

Remember Unisys and GIF/LZH? What we think might not matter much as soon as
an American company with a legal department is involved.

As stated:

  • You sign up with WinQual for e.g. WER or your WLK/DTM submissions by
    code-signing “winqual.exe” (downloadable from WinQual).
  • You *can* use the VeriSign $99 Class 3 CS certificate to code-sign
    anything else, too: drivers, .NET assemblies, etc.
  • My question was if it is *legal* to do this. And this question is still
    open.

(You can use a crowbar to open other people’s homes. This, too, is not legal
if you are not specially authorized.)

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

32

xxxxx@osr.com wrote:

The question is exactly if it is legal to use an “Organizational
Certificate Digital ID” (technically a class 3 code signing cerificate
to sign winqual.exe) for driver and application signing.

If it is - cool, very fine. But I want to know for sure.

Please check this link:
http://www.verisign.com/code-signing/content-signing-certificates/winqual-developers/index.html

“VeriSign offers preferred pricing to Microsoft Windows® Quality Online
Services (Winqual) developers* for VeriSign® Code Signing Certificates
for Microsoft® Authenticode®. To establish an account in Winqual,
developers who do not need code signing services are required to
purchase a VeriSign® Organizational Certificate.”

And the table seems to indicate that the $99 “Organizational
Certificate” can (*legally*) not be used for Code Signing.

33

M. M. O’Brien wrote:

Quite true. In fact, there really is no answer, other than what the person
in the robe standing in front of you says at any particular moment in time.

Actually I found this link:
http://www.verisign.com/code-signing/content-signing-certificates/winqual-developers/index.html

(Google “organizational certificate id” did the trick.)
Hopefully this helps to settle the discussion.

34

I’m not saying that one can’t figure this out to one’s own satisfaction or
even that most people won’t agree; I’m saying that it’s a legal matter, so
giving out advice on this list is not a good idea, in my opinion, as it
requires legal interpretation.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hagen Patzke
Sent: Sunday, September 19, 2010 5:33 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] FYI - VeriSign has code signing certificates on sale

M. M. O’Brien wrote:

Quite true. In fact, there really is no answer, other than what the
person in the robe standing in front of you says at any particular moment
in time.

Actually I found this link:
http://www.verisign.com/code-signing/content-signing-certificates/winqual-de
velopers/index.html

(Google “organizational certificate id” did the trick.) Hopefully this helps
to settle the discussion.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

35

Forgot - and legal interpretation depends entirely on where you are located.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Hagen Patzke
Sent: Sunday, September 19, 2010 5:30 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] FYI - VeriSign has code signing certificates on sale

xxxxx@osr.com wrote:

[quote]
Promotion: VeriSign Organizational Certificate Digital ID Promotion for
Microsoft - 1 year for $99!
[/quote]

The question is exactly if it is legal to use an “Organizational Certificate
Digital ID” (technically a class 3 code signing cerificate to sign
winqual.exe) for driver and application signing.

If it is - cool, very fine. But I want to know for sure.

Please check this link:
http://www.verisign.com/code-signing/content-signing-certificates/winqual-de
velopers/index.html

“VeriSign offers preferred pricing to Microsoft WindowsR Quality Online
Services (Winqual) developers* for VeriSignR Code Signing Certificates for
MicrosoftR AuthenticodeR. To establish an account in Winqual, developers who
do not need code signing services are required to purchase a VeriSignR
Organizational Certificate.”

And the table seems to indicate that the $99 “Organizational Certificate”
can (*legally*) not be used for Code Signing.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

36

xxxxx@osr.com wrote:

I mean… it’s a freakin’ CERTIFICATE. What did it cost to have some
dude run GUIDGEN to create it, even if one includes the proportional
cost of the administrative overhead to process the application, track
the cert through it’s life, and for creating a website with a
FAAABULOUS customer interface.
[…]
A Verisign Authenticode Certificate suitable for user-mode and
kernel-mode code signing costs exactly the same amount as an Office
Pro license – $499.

Peter, do you know how much building and maintaining a secure PK
infrastructure costs? If it’s so simple, why is OSR not doing it?

Of course *anyone* can make certificates.

But you want a trust chain you can… ummm… trust.

For this, you need someone to check and actually verify the IDs of the
people you sign certificiates for. You need your private keys to be
*secure*.

37

xxxxx@gmail.com wrote:

What is the purpose of certificate expiry? Why can’t they be used
forever and remove the need for time stamping, renewal processing,
and recurring costs?

A certificate (SPC) is used to establish a link between physical (legal)
and digital identity.

Time-stamping and CRLs allow to check if a given identity<->certificate
link was valid at a given point of time.

Expiry makes sure you do periodic confirmation of the legal<->digital
identity link. (And also obviously makes sure CAs make a living.)

38

Jan Bottorff wrote:

The reason for the expiration date is to assure the revocation list will not
grow forever. The CRL only needs to contain unexpired certificates.

Wrong: Timestamping allows you to have a driver signed with an expired
cert. It only matters that the cert was valid when you signed it.

So you *do* need to keep the CRLs forever. And all old root certificates
as well. (Or did I miss something?)

39

Jan Bottorff wrote:

If the certificate is revoked on a time-stamped signature, the CA
should be checking the CRL at the moment of timestamping, and
rejecting attempts to timestamp revoked or expired certificates.

No. The timestamping protocol provides no no information to the
timestamping authority of the data it is used on, e.g. any
certificate involved. Only a hash value:
http://www.ietf.org/rfc/rfc3161.txt

[IIRC, with “SignTool signwizard” you could e.g. only timestamp a CAB
file. This is actually quite useful for some purposes. :-)]

40

> [quote]

As far a price goes, keep in mind the price VeriSign charges has to cover
costs
for maintaining the timestamp server and the CRL database.
[/quote]

Surely you’re joking. Imagine how many centers per day it would cost to
put
one of these on EC2…

Actually, no you probably could not put a timestamp server on EC2, as the
signature is likely run by a piece of secure crypto hardware.

VeriSign has their own secure data centers; a quick check finds a company
overview at
https://www.verisign.com/corporate/internet-infrastructure-overview.pdf

Jan