Is it possible to buy an individual verisign certificate?
I wanted to know if someone else has one because all the information I have read implies I should at least be a business. (Which I am not.)
Hi,
having the same problem, all the issuers that I have contacted so far have referred to the regulations imposed on them *by* Microsoft. So the correct place to turn to would be Microsoft, but when I tried through my (private) MSDN Pro subscription nothing came of it either. They’re deaf to these things. Apparently there mustn’t be any non-commercial drivers for Windows …
BTW: the signing for Vista (and later) drivers requires a special method and a special certificate. Not all issuers offer that, so double-check any seemingly cheap offers. And even these “lesser” certificates are not available to private people, it seems.
// Oliver
-------- Original-Nachricht --------
Datum: Sun, 6 Dec 2009 14:40:45 -0500 (EST)
Von: xxxxx@hotmail.co.uk
An: “Windows System Software Devs Interest List”
> Betreff: [ntdev] Personnal VeriSign
> Is it possible to buy an individual verisign certificate?
>
> I wanted to know if someone else has one because all the information I
> have read implies I should at least be a business. (Which I am not.)
–
---------------------------------------------------
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
I’m not sure what you mean by “individual”. You do have to have a class 3
code signing certificate and to acquire one from Verisign, you must be a
business.
The personal opinion of
Gary G. Little
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.co.uk
Sent: Sunday, December 06, 2009 1:41 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Personnal VeriSign
Is it possible to buy an individual verisign certificate?
I wanted to know if someone else has one because all the information I have
read implies I should at least be a business. (Which I am not.)
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET Smart Security, version of virus signature
database 4665 (20091206) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature
database 4665 (20091206) __________
The message was checked by ESET Smart Security.
Hi Gary,
I’m not sure what you mean by “individual”. You do have to have a class 3
code signing certificate and to acquire one from Verisign, you must be a
business.
“individual” as in “for an individual”. A certificate to sign my own creations of software, e.g. OpenSource projects (so it’s not all about drivers only in my case) to give my users the assurance that what they download is from me. So if they trust me and the issuer they can trust the downloaded package after verifying the signature. One such project would be for me DDKWizard (on-topic), another one would be WinDirStat (off-topic). I’d also certainly sign some of my less noteworthy projects if I had the opportunity.
Creating a business just for acquiring a certificate is out of the question due to the attached bureaucratic hurdles. Apart from that the costs of a code-signing certificate are considerable for an individual so the additional costs for the “business” would simply add to it. Given that I give away these pieces of software for free, I do also look at the costs attached (hosting, time, and potentially the code-signing). Oh, and having my company sign those project releases for me seems to be precluded by the regulations MS has put up for code-signing and the use of the issued certificates.
Sorry for picking it up again despite not being the original author of the question. I’m having the same problem for some time now.
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
> (hosting, time, and potentially the code-signing). Oh, and having my
company sign those project releases for me seems to be precluded by the
regulations MS has put up for code-signing and the use of the issued
certificates.
NB: “my company” as in “my employer”.
Just to clarify,
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
> Hi,
>
> having the same problem, all the issuers that I have contacted so far have
> referred to the regulations imposed on them by Microsoft. So the correct
> place to turn to would be Microsoft, but when I tried through my (private)
> MSDN Pro subscription nothing came of it either. They’re deaf to these
> things. Apparently there mustn’t be any non-commercial drivers for Windows
> …
>
> BTW: the signing for Vista (and later) drivers requires a special method
> and a special certificate. Not all issuers offer that, so double-check any
> seemingly cheap offers. And even these “lesser” certificates are not
> available to private people, it seems.
>
> // Oliver
Well, all this so called “security” by it’s very definition is selective:
not everyone is allowed to get in.
Somebody always will stay out and complain.
MS just does trust Verisign, try and convince them to trust other CA…
–pa
> -------- Original-Nachricht --------
>> Datum: Sun, 6 Dec 2009 14:40:45 -0500 (EST)
>> Von: xxxxx@hotmail.co.uk
>> An: “Windows System Software Devs Interest List”
>> Betreff: [ntdev] Personnal VeriSign
>
>> Is it possible to buy an individual verisign certificate?
>>
>> I wanted to know if someone else has one because all the information I
>> have read implies I should at least be a business. (Which I am not.)
>
> –
> ---------------------------------------------------
> DDKWizard and DDKBUILD: http:
>
> Trunk (potentially unstable) version:
> http:
>
></http:></http:>
> Well, all this so called “security” by it’s very definition is
selective: not everyone is allowed to get in.
Somebody always will stay out and complain.
So as I understand it individuals are, by definition, more dangerous than businesses in this case? Is that what you’re saying?
It has been shown that fake businesses were able to acquire code-signing certificates (IIRC Rutkowska tried and documented it). Several “rogue” products in the anti-malware industry exist and some have been signed.
Then how can me wanting to sign *open* source software (yes, they could scrutinize the code if they liked) that I give away free of charge be considered more dangerous than some businesses that were established with the sole purpose of (immorally) ripping off users?! It’s not like they couldn’t apply the same level of scrutiny in vetting me if they wanted to. After all I’d pay the same price as the business, right? So if they want to see my papers, call me, have me bring some signed paper from the municipality (what else is a business registration?!), how does that differ from what they do when a business tries to get a code-signing certificate? …
Also, convincing MS to trust other CAs won’t do anything good, because the same rules will apply to these CAs.
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
It seems to me we discussed this to death more times than I can count.
We discussed it to death back when Microsoft first announced the policy. The community campaigned against the signing requirement, we cited the hobby/free/personal software issue. I personally spent time talking with the architects and the PMs responsible. Microsoft was not convinced by our arguments.
We discussed it again less than a month ago.
We always wind-up at the same place: Microsoft is unconvinced, and clearly believes there is more benefit than there is risk to the signature requirement.
I am aware of multiple products for hobby use that provide detailed instructions to non-computer savvy end users to either: (a) use F8 to disable driver signing or (b) use BCDEDIT to turn test signing on, because the binary driver they distribute was signed with a test cert.
I think there should be a specific way for folks who make hobby/free software to get their drivers signed. The driver signing requirement, coupled with no way to get hobby/free software signed, gives the Linux fanboys yet one more thing to campaign on.
Oh well,
Peter
OSR
“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
> So as I understand it individuals are, by definition, more dangerous than
> businesses in this case? Is that what you’re saying?
No, I’m only saying that we live in the world of locks, keys, governments
and police.
Fairness and justice are not attributes of this world. Yet.
Of course, MS wants individuals to write software for Windows - but not to
tamper with the kernel.
Kernel is a special place that should be kept sterile and trusted. At least,
this is the intention…
There is so much fun and money outside - GUI, internet, facebook, HPC,
games. Why at all an individual may want to poke in the kernel? This is
suspicious.
Regards,
–pa
There are places in the USA where you can create a LLC (Limited Liability
Corporation) or a PA (Private Association) that can provide the ‘company’
but then you also have the required business licenses in the state where the
company is located. It is possible and there is no requirement that your
‘company’ be your employer, but it could be one you own. There are expenses
and I think Microsoft has decided that open source kernel code has no reason
to exist. Microsoft could offer, for a reasonable fee, a service where a
developer would submit his source code to Microsoft and they would then sign
generated binaries with a unique key for this purpose. That would solve the
malware issues, but it would cost Microsoft a significant amount of money to
do this. By ‘significant’ I mean from the developer’s viewpoint and not a
mega-billion dollar company such as Microsoft.
“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
> Hi Gary,
>
>> I’m not sure what you mean by “individual”. You do have to have a class 3
>> code signing certificate and to acquire one from Verisign, you must be a
>> business.
> “individual” as in “for an individual”. A certificate to sign my own
> creations of software, e.g. OpenSource projects (so it’s not all about
> drivers only in my case) to give my users the assurance that what they
> download is from me. So if they trust me and the issuer they can trust the
> downloaded package after verifying the signature. One such project would
> be for me DDKWizard (on-topic), another one would be WinDirStat
> (off-topic). I’d also certainly sign some of my less noteworthy projects
> if I had the opportunity.
>
> Creating a business just for acquiring a certificate is out of the
> question due to the attached bureaucratic hurdles. Apart from that the
> costs of a code-signing certificate are considerable for an individual so
> the additional costs for the “business” would simply add to it. Given that
> I give away these pieces of software for free, I do also look at the costs
> attached (hosting, time, and potentially the code-signing). Oh, and having
> my company sign those project releases for me seems to be precluded by the
> regulations MS has put up for code-signing and the use of the issued
> certificates.
>
> Sorry for picking it up again despite not being the original author of the
> question. I’m having the same problem for some time now.
>
>
> // Oliver
> –
> ---------------------------------------------------
> DDKWizard and DDKBUILD: http:
>
> Trunk (potentially unstable) version:
> http:
>
></http:></http:>
You’re kidding, right?
I think writing drivers is fun. People find LOTS of things fun, shall we tell them that “only professionals need apply” when it comes to writing drivers? “Sorry… you can do it at home, in your spare time, using completely free tools, and perhaps you’ll learn new things, invent something cool, and fill the needs of a small community… but NO, sorry, we’re not going to let you because you’re doing it as a HOBBY?” Yeah, right. It’s just too dangerous?
Peter
OSR
> Of course, MS wants individuals to write software for Windows - but not
to tamper with the kernel.
Kernel is a special place that should be kept sterile and trusted. At
least, this is the intention…
There wasn’t any way for the “lesser” code-signing certificates either when I checked last. So even user-mode code-signing is precluded from me as an individual.
There is so much fun and money outside - GUI, internet, facebook, HPC,
games. Why at all an individual may want to poke in the kernel? This is
suspicious.
Hehe, got it. Highly suspicious indeed. However, I doubt there are many hobbyists in that area anyway, and most of them are probably either working with KM code professionally as well or “hobbyists” from rootkit.com who wouldn’t go to such lengths to get their code signed and their papers scrutinized
// Oliver
–
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
Hi David.
[…] There are
expenses and I think Microsoft has decided that open source kernel code
has no reason to exist.
This restriction applies to user-mode code-signing as well, though.
Microsoft could offer, for a reasonable fee, a service where a
developer would submit his source code to Microsoft and they would then
sign generated binaries with a unique key for this purpose. That would
solve the malware issues, but it would cost Microsoft a significant
amount of money to do this.
Ehrm, so whom does the end-user have to trust in this scenario, me or Microsoft? I see a problem in this. As mentioned before, I have tried to get the same deal that was offered for businesses. Also, founding a limited in itself is not the problem anywhere in Europe either, but the attached costs and bureaucratic hurdles are.
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
As far as I see it, the likelihood of being a “traceable entity” (at
least in the U.S.) is higher with a company than with an individual.
This is probably the reason they don’t want to accept
non-business-individuals as certificate holders.
On 12/6/2009 9:34 PM, Oliver Schneider wrote:
A certificate to sign my own creations of software, e.g. OpenSource
projects (so it’s not all about drivers only in my case) to give my
users the assurance that what they download is from me. So if they
trust me and the issuer they can trust the downloaded package after
verifying the signature.
Ah. The “give my users the assurance that what they download is from me”
can be solved:
- Generate your own certificate (MakeCert)
- Distribute your own certificate (the public part)
- Sign all your software with this cert
=> Anyone can verify if your software is from you.
For drivers on 64bit systems, your users additionally need to configure
their systems to accept “test signed drivers” (and possibly have to
install your certificate as “trusted root certificate”).
Getting rid of the Microsoft warnings is another issue. 
Hagen Patzke wrote:
As far as I see it, the likelihood of being a “traceable entity” (at
least in the U.S.) is higher with a company than with an individual.This is probably the reason they don’t want to accept
non-business-individuals as certificate holders.
That’s exactly the reason. The purpose of the signature is to provide a
reliable way to LOCATE the author when something goes wrong, so that the
lawyers have a place to deliver the subpoena. It’s not about trust or
reliability or reputation. It’s about FINDING.
It’s not that individuals are less dangerous than businesses, it’s that
individuals are demonstrably more FLIGHTY than individuals.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> Hagen Patzke wrote:
>> As far as I see it, the likelihood of being a “traceable entity” (at
>> least in the U.S.) is higher with a company than with an individual.
>>
>> This is probably the reason they don’t want to accept
>> non-business-individuals as certificate holders.
>>
>
> That’s exactly the reason. The purpose of the signature is to provide a
> reliable way to LOCATE the author when something goes wrong, so that the
> lawyers have a place to deliver the subpoena. It’s not about trust or
> reliability or reputation. It’s about FINDING.
>
> It’s not that individuals are less dangerous than businesses, it’s that
> individuals are demonstrably more FLIGHTY than individuals.
>
Like everything else there are plenty of counter examples. I a neighboring
town a gentleman had created over 20 businesses, registered and in multiple
cases with Verisign. Turns out they were all scams (though some were many
years old) and the owner has decamped to parts unknown after a number of
swindles on both the internet and US mail.
I do wish there was a way to get an individuals certificate. I would not
mind if the certificate caused more warnings on install than that of a
“company”, but there should be a way to say “I trust Oliver Schneider” so
let his sofware be installed. Of course having a good way to verifiy that
it is Mr. Schneider’s software is needed. For that matter, I still want a
certificate I can use to access WHQL.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Information from ESET NOD32 Antivirus, version of virus signature database 4667 (20091207)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Tim Roberts wrote:
It’s not that individuals are less dangerous than businesses, it’s that
individuals are demonstrably more FLIGHTY than individuals.
I can’t believe I let that go.
“…individuals are demonstrably more FLIGHTY than businesses.”
Apparently, I am demonstrably more flightly than either.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Could there ever be a company to sign certificates for individuals if they confidentually release their sourcecode for a yearly price similar to that of buying a license?
xxxxx@hotmail.co.uk wrote:
Could there ever be a company to sign certificates for individuals if they confidentually release their sourcecode for a yearly price similar to that of buying a license?
The legal entanglements of this would take the lawyers years (and
$millions) to work out. In my view, the company would be volunteering
to become legally liable for any driver that was signed and released
that way. That’s what the signature says: “I’m liable for this
product.” That possibility should be enough to make any corporate legal
department shriek in horror.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
What liability when the product’s license states (and I quote from my own Open Source BSD licenced stuff):
“THIS SOFTWARE IS PROVIDED BY ‘‘AS IS’’ AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.”
(Sorry from the caps, that’s how the original BSD licence is written).
If you use my software, you agree to must agree to that. So that would mean that if you (SourceForge, CodePlex, other OSS sites, commercial entity) signed my package, you are not legally bound to anything.