Windows code-signing tweaks sure to irritate software developers
Updated Changes that mean signing certificates for Windows can only be sold in hardware form – or from an as-yet undefined cloud-based "service” – from the start of February are likely to have a big effect on software development.
US trade body the Certificate Authority Security Council decided in December that "best practice" for code-signing certificates was to embed them in hardware devices, a policy endorsed with upcoming changes from Microsoft that kick in next week.
This could present an upheaval for software developers, according to a Reg reader who flagged up the story and asked to remain anonymous.
"ISVs who need to buy new certificates may find themselves having to revise their build processes," our anonymous tipster said. "It's interesting that one-man-and-a-dog shops won't be especially affected by the procedural changes, but will complain about the approximate doubling of certificate prices. Meanwhile, large ISVs with automated build-and-test systems won't especially worry about an extra few hundred pounds, but may have to revise their processes a lot."
We'd love to hear from independent software vendors and any dev who's affected by this. You can drop security correspondent John Leyden a line here. ®
Updated on 30 January 09:31 UTC to add:
Bruce Morton, director of certificate technology & standards at Entrust Datacard and a member of the CA Security Council, told us that the requirement is that keys for new certificates must be stored on hardware could be applied in a variety of ways. He played down any concerns that the move was brought in over too small a timescale and that it might cause inconvenience.
"The price changes may be quite low or 0 pounds," Morton explained. "Non-encrypted hardware can be used and a USB drive price is quite low. Also, some CAs will provide their certificates with a USB token at low or zero cost which will meet the criteria of the second bullet above. There may also be low priced cloud solutions such as Azure Key Vault which can be used.
"There may be some issues as we get started, but there is also opportunity for solutions to be explored and supported by the CAs," he added.