Kyle Hamilton wrote, On 2008-12-24 08:39: > On Wed, Dec 24, 2008 at 4:25 AM, Ian G <i...@iang.org> wrote: >> PS: on an earlier comment, check this out: >> >> http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx >> >> This is, IMHO, the sort of work that Mozilla should be treating as more >> important than today's case, because it evidences PRESENT danger. > > "In most cases, CAs participating in the Microsoft Root Certificate > Program issue code signing certificates to a software publisher who > uses the certificate to sign malware. [...] In most cases, CAs > participating in the Microsoft Root certificate program are tricked > into issuing a valid certificate to the malware author." > > Uhm... how is it "being tricked" to issue a code signing certificate > to a malware author, if the malware author proves his bona fides, and > it's issued in the name of the malware author?
Microsoft defines two set of requirements to which an author must agree as a condition of receiving a code signing certificate (one set for individual authors and one set for corporate publishers). See MS's statement about this at http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx#Criteria_for_Commerc http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx#Criteria_for_Individ These are requirements to be enforced by the issuer. The issuer CA is required to enforce those requirements by its agreement with Microsoft, which (as I understand it) is a condition of being recognized as a code signing CA by MS software. In both sets of criteria, the authors/publishers must agree "that they will not distribute software that they know, or should have known, contains viruses or would otherwise harm a user's computer or code." (Oddly, that definition seems to exclude harm to the user's data. It also seems to exclude key loggers or other malware that would harm the user without harming his computer [no smoke] or its code.) So, from MS's perspective, if some malware is signed with a cert issued by one of the CAs that MS has added to their trusted code signing CA list, then it must be the case that (at least) one of the following has occurred: - The software publisher did not know that it was signing malware, or - The software publisher breached its agreement with the issuer of its cert, or - The issuer breached its agreement with MS. It appears that the author of the page you cited chose to describe the breach of the publisher's agreement with the issuer as the publisher having tricked the issuer into issuing the certificate. That choice of words seems to imply that the publisher had intent to publish malware at the time he applied to receive the certificate. I think MS is saying that they believe that, in most cases, that's what happened; the publisher of the malware sought to obtain the cert expressly to publish signed malware. I don't recall Mozilla's CA policy having any provisions requiring code signing CAs to require any pledge against signing malware. :( Maybe that's Ian's point. But I also observe that Mozilla's community of browser developers mostly wish to avoid code signing. The perception that code signing certs are prohibitively expensive is, once again, the issue. Consequently, - Mozilla does not require that code be signed in a way that identifies the signer as a condition of publishing browser extensions on addons.mozilla.org. Instead, they have devised a scheme that attempts to ensure that any automatic updates to an extension come from the same (potentially anonymous) source as the original extension, through the use of anonymous public keys embedded in the original extension. - A Firefox user sees almost no distinct UI behavior between downloading an unsigned extension vs a signed one. AFAIK, the ONLY difference is the appearance of the word "unsigned" in red letters in the dialog box that asks the user whether to go ahead with the installation. That dialog always appears, for signed and unsigned extension downloads, and there are no additional hurdles to installing unsigned downloads. - Until recently, web pages whose javascript wanted to take special privileged actions needed to be signed pages, but that requirement is being (or has been) removed, IINM. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
