Why do code signing authorities refuse to issue certificates to individuals
or open-source projects? Are they seriously saying that organisations like
Enron, Worldcom, etc are more trustworthy than the people who contribute to
GotDotNet? Why do they cost so much?

Code Signing is a great idea because it allows you to identify who has
written a software product. It encourages developers to take responsibility
for their software. Certainly, someone who is prepared to put their name and
address with some registering authority is less likely to distribute
malicious code and if they do their certificate could be withdrawn or
black-listed.

Microsoft should promote the idea that you don't install or run anything on
your PC unless it has a code signed certificate that ties the code to the
website to the individual. It is then a simple matter of people visiting the
website linked with the certificate and making a personal judgment as to
whether to trust the person who wrote the code. For example, a website that
listed various GotDotNet projects, published articles and membership of
professional organizations (all with appropriate links) possibly belongs to
someone you can trust. The more good stuff people publish the more trusted
they become; a quick search on MSN / Google tells you a lot about someone
(even me).

What's the alternative? The present situation whereby 99% of open-source
code is downloaded without any form of identification? Why can't Microsoft
help individuals get a code signing certificate?

Will Stott

I think there is a lot of lack of understanding as to exactly what
an issued code-signing certificate is supposed to actually mean.
The ONLY think it means is that:

- the entity who has used that certificate, issued by a well-known CA
(VeriSign etc..), has been IDENTIFIED the issuing CA. This facilitates
distribution of signed code from anywhere.

- Note that this says absolutely NOTHING about any TRUST in the entity
who owns that code-signing certificate

- the technology fact that your software/technology can verify that no tampering
has occurred has nothing to do with trusting the owner (or user) of the code-signing
certificate.

There is a lot of misleading information about "trusted signers" which is complete
nonsense. You must NEVER trust any company or dividuals' code which was
signed by a "recognized" code-signing certificate unless you have done DUE DILIGENCE
in making sure that you implicitly trust the company or entity who you believe own
and properly maintain their code-signing certificate!
IMO, companies like VeriSign who charge ~ 200.00+ for a code-signing certificate
are making use of their reputation of trust but that definitely SHOULD not extend to
end users automatically and naively trusting code signed with on of these companies
code-signing certs.

So Microsoft obviously does NOT want to be in the optics business of trying to
enable developer trust by assisting in promotion of CA issuance infrastructure.

BTW, I have purchased a commercial code-signing cert from VeriSign ...
but woudl anyone trust code-signed with MY certificate? just because it was issued
by VeriSign? anyone who does this is a fool and does not understand the real trust
issues :-)
You can see my commercial cert issued via my home page.

Cheers,
- Mitch Gallant
MVP Security
www.jensign.com

(btw, do you REALLY believe and trust that the owner of the jensign web site is associated
with an MVP owner?? prove it! Also, does Mitch Gallant REALLY own the JavaScience Consulting
certificate used to sign many win32 exe and .net assemblies on that site?? PROVE IT!



[quoted text, click to view]