It is mentioned in Code Signing Best Practices. (search for best_practices.doc in microsoft.com)
— begin quote —
Certificates normally expire after a period of time, such as one year. However, software is typically designed to operate for many years. If the certificate that was used to sign the code expires, the signature cannot be validated and the software might not install or run. To avoid this issue, Microsoft recommends that software publishers timestamp their digital signatures.
A timestamp is an assertion from a trusted source, called a time-stamping authority (TSA), that the digital signature’s signed hash was in existence when the timestamp was issued. If the signing certificate was valid at that time, Windows considers the signature to be valid even if the certificate has since expired. If a signature is not timestamped, when the certificate used to sign the software expires, the signature simply becomes invalid.
— end quote —
Actually, it just says that “The signature simply becomes invalid.” –> equivalent to not signed.
Rationale is to prevent signing drivers with expired certificates.
Without timestamps, there is no way to tell if the code was signed before expiration.
Timestamp from the valid source (such as VeriSign) ensures the actual time (not of the build system or developer’s system).
In other words, when you release your drivers to the public, it is
mandatory to sign them with timestamp.
Chesong Lee
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@email.com
Sent: Sunday, July 23, 2006 1:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Kernel Driver signing in Vista x64 and Certificate expiration
Otherwise - with no timestamp - your driver will
not be loaded after expiration date of your certificate.
This is new to me; a kind of disposable driver. Software that someone buys that expires in less than 2 years should be considered junkware and people warned ahead of time. Because what if these forced updates are worse and buggier than the original or just never come to exist? What if the system will no longer boot after expiration? There are timelocked *applications*, but I can’t understand why anyone would ever create a *driver* that behaves like this.
eof
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer