Posted on 01/27/2017 5:17:17 AM PST by dayglored
Changes that mean signing certificates for Windows can only be sold in hardware form – or from an as-yet undefined cloud-based "service” – from the start of February are likely to have a big effect on software development.
US trade body the Certificate Authority Security Council decided in December that "best practice" for code-signing certificates was to embed them in hardware devices, a policy endorsed with upcoming changes from Microsoft that kick in next week.
This could present an upheaval for software developers, according to a Reg reader who flagged up the story and asked to remain anonymous.
"ISVs who need to buy new certificates may find themselves having to revise their build processes," our anonymous tipster said. "It's interesting that one-man-and-a-dog shops won't be especially affected by the procedural changes, but will complain about the approximate doubling of certificate prices. Meanwhile, large ISVs with automated build-and-test systems won't especially worry about an extra few hundred pounds, but may have to revise their processes a lot."
(Excerpt) Read more at theregister.co.uk ...
Code-signing is a big deal, very high security, usually with a signing server that's hidden off in a corner of the network and highly protected from everything except code-signing requests.
“best practice”
After 35 years of programming, I note that anyone using the term “best practice” should not be asked near source code.
asked = allowed
Doesn’t do anything for code correctness though.
Hear, hear!
Bingo! And if the code is poorly designed and weak it can still be exploited. All the Certs do is make it more likely the threat will come from inside instead of outside, and the true adversaries will adjust and account for that.
The biggest problem (at least attributable to a platform) on Windows is malware. Code signing assures that, while the code may be crap, you know whose crappy code it is.
Made by whom?
There is such a thing as a hardware backdoor.
https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/
And the cloud bit just sounds like a way to give gov access to everyone.
You can just write a device driver that tells the kernel I’m a device of type x and voila you have a ‘hardware’ dongle.
“best practice”; “Code-signing”; “code correctness” - “poorly designed and weak”; “hardware backdoor”; “write a device driver”.
This just goes to prove that no matter how hard Microsoft tries to be the “Ultimate Control Freak”, someone somewhere will always come up with “a better idea”. LOL
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.