[ciphershed] Re: Signed System Driver
- From: Stephen R Guglielmo <srguglielmo@xxxxxxxxx>
- To: ciphershed@xxxxxxxxxxxxx
- Date: Sat, 14 Jun 2014 11:37:33 -0400
On Sat, Jun 14, 2014 at 11:10 AM, Alain Forget <aforget@xxxxxxx> wrote:
> As far as I know, any certificate authority (such as those listed here:
> https://en.wikipedia.org/wiki/Certificate_authority#Providers) can provide us
> with a certificate with which we can sign our drivers (and the Windows
> installation package).
>
> When I looked these up to obtain one for my research group last year,
> according to sslshopper.com, I found that DigiCert was the best rated, and
> their pricing is middle-of-the-road:
>
> 3 Year $178.33 USD / year
> 2 Year $198.50 USD / year
> 1 Year $223.00 USD / year
>
> We will also need the "full legal name" (and full mailing address & phone
> number) of our organisation. This name will be what shows up on the UAC and
> installation dialog boxes.
>
> Note that this certificate should be able to digitally sign any software for
> Windows, Java, Apple, browser extensions, and so on, which may or may not be
> useful to us later on.
>
> So this leaves some open questions:
>
> 1) How are we going to pay for this? (Yet another use for possible donations,
> if/when we open that up)
> 2) How long do we want the cert?
> 3) What will our "full legal name" be? I imagine this could be a member of
> our group who has full intentions of sticking around for the length of the
> cert, and is comfortable signing our drivers and executables (which I would
> guess legally means such person is vouching for the integrity and
> non-maliciousness of the code). However, if we want to make it our
> "organisation", (CipherShed Inc.? :-P) I fear we don't have a full mailing
> address and phone number, so...I don't know how we would handle that.
> Presumably someone could contact the certificate authority and ask how this
> is done for distributed open-source projects, such as this.
>
> Despite these challenges, if we want our software to be trusted and
> reputable, I think obtaining a certificate with which to sign our drivers and
> executables/binaries is a must.
>
> Alain
I agree that we'll definitely have to do this at some point. Those
prices are (somewhat) reasonable, I suppose.
This is where I feel as though we should setup some sort of LLC or
Non-Profit.I would be more than happy to cover the costs of a
certificate, but I don't want any personal liability in the event that
something goes wrong down the line. I "donate" to the organization,
and the organization purchases the cert (not me). No one else should
have to bear that responsibility of personal liability either.
Other related posts:
