I’ve been using a driver signing certificate issued by ‘GlobalSign Root CA’ but there are plenty of problems with that:
a. requires a separate Windows XP computer/VM to perform the signing.
b. have a limit of 50 time stamps PER MONTH (not enforced but part of their licensing)
c. was a target of a [semi]successful hack last year
With the new stronger certificate requirements coming at 2013, what is the best Root CA to get a driver signing certificate from?
Microsoft has a list of Cross-Certificates(http://msdn.microsoft.com/en-us/windows/hardware/gg487315) which limits the choices to one of the following:
a. Certum Trusted Network CA
b. DigiCert Assured ID Root CA
c. DigiCert Global Root CA
d. DigiCert High Assurance EV Root CA
e. Entrust.net Certification Authority (2048)
f. GeoTrust Primary Certification Authority
g. GeoTrust Primary Certification Authority ? G3
h. GlobalSign Root CA
i. Go Daddy Root Certificate Authority ? G2
j. NetLock Arany (Class Gold)
k. NetLock Platina (Class Platinum)
l. Security Communication RootCA1
m. Starfield Root Certificate Authority ? G2
n. StartCom Certification Authority
o. TC TrustCenter Class 2 CA II
p. Thawte Primary Root CA
q. Thawte Primary Root CA ? G3
r. VeriSign Class 3 Public Primary Certification Authority ? G5
s. VeriSign Universal Root Certification Authority
xxxxx@2die4.com wrote:
I’ve been using a driver signing certificate issued by ‘GlobalSign Root CA’ but there are plenty of problems with that:
a. requires a separate Windows XP computer/VM to perform the signing.
b. have a limit of 50 time stamps PER MONTH (not enforced but part of their licensing)
c. was a target of a [semi]successful hack last year
Why does it take a separate computer to do the signing? I do my signing
on my main development machine, and I use a GlobalSign certificate.
I have never seen the 50-per-month restriction in any of the documents I
filled out, and I’m usually pretty good about reading the legalese (at
least the first time I visit a site). Indeed, I’m not sure how they
COULD enforce that. I get my timestamps from Verisign, per the
Microsoft recommendation. There shouldn’t be anybody phoning home to
GlobalSign when I sign a driver.
With the new stronger certificate requirements coming at 2013, what is the best Root CA to get a driver signing certificate from?
I haven’t seen any reason to deviate from GlobalSign.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On 05/03/2012 18:57, Tim Roberts wrote:
I have never seen the 50-per-month restriction in any of the documents
I filled out, and I’m usually pretty good about reading the legalese
(at least the first time I visit a site). Indeed, I’m not sure how
they COULD enforce that. I get my timestamps from Verisign, per the
Microsoft recommendation. There shouldn’t be anybody phoning home to
GlobalSign when I sign a driver.
From**http://www.globalsign.com/repository/subscriber-agreement.txt :*
"*GlobalSign offers the ability to timestamp code signed with its
CodeSigning Digital Certificate as a non chargeable service when used
reasonably. A reasonable limit of 50 timestamp operations per month for
the duration of the certificate is set. GlobalSign withholds the right
to withdraw the service or charge for the service where the volume of
time stamping operations performed is in excess of this limit. "
–
Bruce Cran
Bruce Cran wrote:
From**http://www.globalsign.com/repository/subscriber-agreement.txt :*
"*GlobalSign offers the ability to timestamp code signed with its
CodeSigning Digital Certificate as a non chargeable service when used
reasonably. A reasonable limit of 50 timestamp operations per month for
the duration of the certificate is set. GlobalSign withholds the right
to withdraw the service or charge for the service where the volume of
time stamping operations performed is in excess of this limit. "
I wonder if they actually check that. And if they do, WHY they do.
Timestamping is a trivial operation. Even 50 timestamps per second
would not be a significant burden on their server.
In any case, now I have a good reason to continue using
timestamp.verisign.com, as recommended in the Microsoft docs.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On 3/5/2012 1:50 PM, xxxxx@2die4.com wrote:
I’ve been using a driver signing certificate issued by ‘GlobalSign Root CA’ but there are plenty of problems with that:
a. requires a separate Windows XP computer/VM to perform the signing.
I have not had this problem with a Windows 7 Professional 64-bit PC.
My command line looks like this:
signtool sign /v /n (certificate name) /ac “GlobalSign Root CA.crt” /t
http://timestamp.verisign.com/scripts/timstamp.dll bin\oemsetup.cat
This is part of the batch file that also builds the driver.
I did need the /ac portion to get things validating, but, no need for XP…
James
The certificate GlobalSign provides is not their latest certificate.
Windows Vista(and newer) have an auto-update feature so if Vista is used and the certificate signing computer is ever connected to the network it will update the certificate to its latest version.
This was explained in the GlobalSign support page.
Starting June 26th 2011, GlobalSign has “New Intermediate Certificates” which may have this problem fixed but I am not sure. They did add the 2048-bit key support as well.
/replies with usual comment about asking about “the best” anything
Wow… I wasn’t aware the cross-signing list had been so significantly expanded.
I’d say go with whatever cert is cheapest. I *hate* being gouged for $500 for my code signing cert. It just rubs me the wrong way.
Anybody know who’s cheapest, given the cross-signing list above?
Peter
OSR
I bought GlobalSign because it’s very cheap and enough for me. They have
models for lone developers which are very cheap.
2012/3/5
>
>
> /replies with usual comment about asking about “the best” anything
>
> Wow… I wasn’t aware the cross-signing list had been so significantly
> expanded.
>
> I’d say go with whatever cert is cheapest. I hate being gouged for $500
> for my code signing cert. It just rubs me the wrong way.
>
> Anybody know who’s cheapest, given the cross-signing list above?
>
> Peter
> OSR
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I’d qualify that. Cheapest and works. From what I have seen here, GlobalSign, Thawte and Verisign all have functional evidence. I’ve never even heard of the others in that list.
(Damn ? and I just renewed my VeriSign cert. 
)
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Mar 5, 2012, at 3:16 PM, xxxxx@osr.com wrote:
/replies with usual comment about asking about “the best” anything
Wow… I wasn’t aware the cross-signing list had been so significantly expanded.
I’d say go with whatever cert is cheapest. I *hate* being gouged for $500 for my code signing cert. It just rubs me the wrong way.
Anybody know who’s cheapest, given the cross-signing list above?
Peter
OSR
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
What’s “very cheap”?
I’m seeing prices of around $169/year… which is a hell of a lot better than Verisign’s $499/year, but still about $119/year more than I think the service is worth (this, he says, after having paid Verisign’s rates for lo these many years… and I just renewed our cert also, Gary).
Peter
OSR
At http://www.globalsign.com/code-signing/ I see only 129 a year. Anyway,
as you said, is not that cheap, but may be the cheapest option available.
2012/3/5
>
>
> What’s “very cheap”?
>
> I’m seeing prices of around $169/year… which is a hell of a lot better
> than Verisign’s $499/year, but still about $119/year more than I think the
> service is worth (this, he says, after having paid Verisign’s rates for lo
> these many years… and I just renewed our cert also, Gary).
>
> Peter
> OSR
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Renewing is $90:
http://www.globalsign.com/digital-certificate-renewal/renew-code-signing/individuals.html
2012/3/5 Francisco L. Silva
> At http://www.globalsign.com/code-signing/ I see only 129 a year.
> Anyway, as you said, is not that cheap, but may be the cheapest option
> available.
>
> 2012/3/5
>
>
>>
>> What’s “very cheap”?
>>
>> I’m seeing prices of around $169/year… which is a hell of a lot better
>> than Verisign’s $499/year, but still about $119/year more than I think the
>> service is worth (this, he says, after having paid Verisign’s rates for lo
>> these many years… and I just renewed our cert also, Gary).
>>
>> Peter
>> OSR
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
On 05-Mar-2012 23:33, xxxxx@osr.com wrote:
…
but still about $119/year more than I think the service is worth
The cert price is not for a service. It is kind of tax, like most of
“security” things.
Android and iOS worlds have their own taxes.
– pa
Plus, VeriSign is now debauched by Symantec, so I may have an even bigger reason for changing CA’s next year.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Mar 5, 2012, at 3:41 PM, Francisco L. Silva wrote:
Renewing is $90: http://www.globalsign.com/digital-certificate-renewal/renew-code-signing/individuals.html
2012/3/5 Francisco L. Silva
> At http://www.globalsign.com/code-signing/ I see only 129 a year. Anyway, as you said, is not that cheap, but may be the cheapest option available.
>
> 2012/3/5
>
>
>
> What’s “very cheap”?
>
> I’m seeing prices of around $169/year… which is a hell of a lot better than Verisign’s $499/year, but still about $119/year more than I think the service is worth (this, he says, after having paid Verisign’s rates for lo these many years… and I just renewed our cert also, Gary).
>
> Peter
> OSR
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
May need Verisign if you want a WHQL account…
Thomas F. Divine. Sent from my Droid.
On Mar 5, 2012 4:35 PM, wrote:
>
>
> What’s “very cheap”?
>
> I’m seeing prices of around $169/year… which is a hell of a lot better
> than Verisign’s $499/year, but still about $119/year more than I think the
> service is worth (this, he says, after having paid Verisign’s rates for lo
> these many years… and I just renewed our cert also, Gary).
>
> Peter
> OSR
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
That has always been an issue and often makes other brands of kernel signing certs not much of a better deal that just getting a Verisign cert. I do wish MSFT would change their policy about this.
Actually, since most of us already pay MSFT THOUSANDS of dollars for MSDN subscriptions, I’d like to see MSFT issue signing certs for WHQL and kernel signing bundled as part of the MSDN package. If I’m an Apple iOS developer, $99 gets me all the tools AND signing certificates. I assume for the MSFT phone and app store, there must be a unique signing cert involved, so it seems like MSFT ALREADY must be geared up to issue vendor code signing certs.
Jan
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas Divine
Sent: Monday, March 05, 2012 1:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] What is the best root CA for signing kernel drivers
May need Verisign if you want a WHQL account…
Thomas F. Divine. Sent from my Droid.
On Mar 5, 2012 4:35 PM, > wrote:
What’s “very cheap”?
I’m seeing prices of around $169/year… which is a hell of a lot better than Verisign’s $499/year, but still about $119/year more than I think the service is worth (this, he says, after having paid Verisign’s rates for lo these many years… and I just renewed our cert also, Gary).
Peter
OSR
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
On 3/5/2012 10:56 PM, Thomas Divine wrote:
May need Verisign if you want a WHQL account…
The VeriSign $99 “Organizational ID” deal is enough to sign up for
WinQual (now “Windows Developer Center” at sysdev.microsoft.com). And
you only need to buy it once for the sign-up.
AFAIK, you need a VeriSign certificate to sign the logs for Windows Logo
Submission.
On 3/5/2012 7:50 PM, xxxxx@2die4.com wrote:
I’ve been using a driver signing certificate issued by ‘GlobalSign Root CA’
Us, too. No problems so far - for more than five years now.
a. requires a separate Windows XP computer/VM to perform the signing.
No, not for signing. But for the verification of the embedded signatures.
Unless you just parse the output from the “certmgr ” tool
runs
and check if all signatures and cross certificates are included.
> b. have a limit of 50 time stamps PER MONTH (not enforced but part of their licensing)
Microsoft recommends VeriSign for timestamping. So why would you use
GlobalSign for that?
Also it is better if you can use certificates/signatures from two
independent entities.
> c. was a target of a [semi]successful hack last year
“was a target of a published [semi]successful hack last year.”
We don’t know if anyone has broken into any one of the other CAs. That
it’s not in the press does not mean they are more secure. They might
just not have noticed themselves. Or successfully covered up. We just
can’t know.