[ciphershed] Re: Signed System Driver
- From: "Alain Forget" <aforget@xxxxxxx>
- To: <ciphershed@xxxxxxxxxxxxx>
- Date: Sat, 14 Jun 2014 11:10:52 -0400
As far as I know, any certificate authority (such as those listed here:
https://en.wikipedia.org/wiki/Certificate_authority#Providers) can provide us
with a certificate with which we can sign our drivers (and the Windows
installation package).
When I looked these up to obtain one for my research group last year, according
to sslshopper.com, I found that DigiCert was the best rated, and their pricing
is middle-of-the-road:
3 Year $178.33 USD / year
2 Year $198.50 USD / year
1 Year $223.00 USD / year
We will also need the "full legal name" (and full mailing address & phone
number) of our organisation. This name will be what shows up on the UAC and
installation dialog boxes.
Note that this certificate should be able to digitally sign any software for
Windows, Java, Apple, browser extensions, and so on, which may or may not be
useful to us later on.
So this leaves some open questions:
1) How are we going to pay for this? (Yet another use for possible donations,
if/when we open that up)
2) How long do we want the cert?
3) What will our "full legal name" be? I imagine this could be a member of our
group who has full intentions of sticking around for the length of the cert,
and is comfortable signing our drivers and executables (which I would guess
legally means such person is vouching for the integrity and non-maliciousness
of the code). However, if we want to make it our "organisation", (CipherShed
Inc.? :-P) I fear we don't have a full mailing address and phone number, so...I
don't know how we would handle that. Presumably someone could contact the
certificate authority and ask how this is done for distributed open-source
projects, such as this.
Despite these challenges, if we want our software to be trusted and reputable,
I think obtaining a certificate with which to sign our drivers and
executables/binaries is a must.
Alain
-----Original Message-----
From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed-bounce@xxxxxxxxxxxxx]
On Behalf Of Stephen R Guglielmo
Sent: Saturday, June 14, 2014 10:47
To: ciphershed@xxxxxxxxxxxxx
Subject: [ciphershed] Signed System Driver
We're going to (eventually) need a certificate issued by a
"certificate authority" (I assume that's Microsoft?) to sign the
system driver on Windows. Some versions of Windows wont let the driver
run unless it's signed. There might be a setting to ignore this, but
we shouldn't force all users to change their settings...
The certificate is probably unnecessary for the time being. If I'm
understanding things correctly, it's only for the system disk
encryption, not encrypting non-system disks or using file-hosted
storage.
I haven't had time to research the process on obtaining a certificate,
anyone want to volunteer? :D
Thanks,
Steve
Other related posts:
