locked
Are Thawte code-signing certificates not secure? RRS feed

  • Question

  •  

    From the WinQual site:

     

    Why Is a Digital Certificate Required for Winqual Membership?

    A digital certificate helps protect your company from individuals who seek to impersonate members of your staff or who would otherwise commit acts of fraud against your company.  Using a digital certificate enables proof of an identity for a user or an organization.

     

    Does this mean that code signed with a certificate issued by an authority (such as Thawte) cannot be used as proof of an identity? Does the fact that Microsoft is not accepting code signed with certificates from trusted authorities (such as Thawte) indicate that they cannot be trusted?

     

    And if not, why are they allowed to continue to issue code signing certificates?

    • Moved by Max Wang_1983 Tuesday, April 26, 2011 5:01 PM forum consolidation (From:Windows Error Reporting for ISVs)
    Friday, July 11, 2008 12:26 PM

Answers

  • We are only setup to accept VeriSign Certificates at this point.  We have not had an overwhelming demand to support other types of certificates.

     

    Wednesday, July 16, 2008 11:06 PM

All replies

  • We are only setup to accept VeriSign Certificates at this point.  We have not had an overwhelming demand to support other types of certificates.

     

    Wednesday, July 16, 2008 11:06 PM
  •  khill wrote:
    We are only setup to accept VeriSign Certificates at this point.

     

    Could you elaborate on what it means to be "setup"? The technology already exists to see if a certificate is signed by a trusted root - what more is needed to be setup?

     

    Alternativly, you can simply check if fingerprint of the key that signs WinQual.exe test executable matches the certificate fingerprint of an executable that crashed in the wild. As long as they were both signed by the same key, you know the person requesting access to their crash dumps is the same person who signed the executable that crashed. Even a test certificate is sufficient to ensure users' security and privacy.

     

    Why can i not have my crash dumps? Why is not every certificate accepted?

     

    What does it mean to not be "setup"?

     

    Friday, August 1, 2008 7:48 PM
  •  

    Hi Jack,

     

    Not that I know but I would assume that the team running the winQual system is a live team and not a dev team - as in, personality and skillset geared towards maintenance of existing systems. I could be wrong though Smile

     

    Best,

    Peter

     

    Saturday, September 13, 2008 9:19 AM
  • i am beginning to recognize that about Microsoft.

    A team comes together to create a product, and once the product launches the team members move onto different things, leaving others in maintenance mode.

    The team doesn't get to benefit from read feedback from customers, rather than trying to guess what customers want.

    Visual Studio. WinForms. WPF. Outlook. And now WinQual.



    And from the blog of one woman who is part of a small group of people at Microsoft lobbying that they get a group to fix the documentation system in Visual Studio.  They know it's back. They know customers don't like it. They hear the feedback. But you have to do a bureaucratic pit-fight to get a team that will be allowed to spend a year redoing it.  And once it's redone the members will be moved elsewhere, and the product is abandoned.
    Tuesday, September 16, 2008 11:51 AM
  • Hi,

    My company uses Thawte code signatures. I tried to sign up for Winqual but wasn't able to. Can you manually create an account for us? The company is Box inc. www.box.com.

    Thanks!

    -Dave

    Tuesday, April 22, 2014 9:35 PM