Whos In Charge of Code Signing?

By Larry Seltzer  |  Posted 2007-08-30 Print this article Print

Opinion: It's the certificate authority, VeriSign being the biggie, that makes these decisions. Microsoft doesn't pull the strings behind these entities.

When a code signing signature is revoked, who revokes it? The certificate authority, of course. Obvious, one would think, unless the evil presence of Microsoft is detected. At that point, some think, everyone elses free will melts away and they do Redmonds bidding irrespective of their own interests. So it was in the case of Atsiv. I beat this story to death in a prior column and not one, but two blogs. But the short summary of it is that 64-bit Vista requires that kernel code, including device drivers, be digitally signed with a code signing certificate issued by a trusted certificate authority. Linchpin Labs wrote Atsiv, a program which uses a custom loader to load unsigned drivers into kernel space. Microsoft responded by "working with VeriSign" to revoke the certificate and by adding a signature to Windows Defender for Atsiv, effectively declaring it to be malware.

The shutdown of Vista validation under Microsofts Windows Genuine Advantage program has been fixed. Click here to read more.

The actual language Microsoft used about the revocation of the certificate was this:
Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid.
And yet I have read in several places, including from Linchpin Labs themselves, about how Microsoft revoked the certificate: "the fact Microsoft has taken it upon itself to revoke the Atsiv certificate based on its own definition for malware sets a concerning precedent, one that should not be ignored."

The fact is that anyone can rat out anyone else for abuse of a code signing certificate by filling out the form on this page. And according to VeriSign, this is exactly what Microsoft did. Someone from Microsoft filled out this specific form, and they took action on it.

VeriSign admits, as anyone might have guessed, that the fact that the report came from Microsoft got their attention. This might have put this report at the front of the queue, but did it change the standards against which Atsiv was judged? Come to think of it, what are those standards? The form itself gives vague guidelines about code being "malicious" or "harmful," and a few specific examples (spyware, phishing, MITM, misleading descriptions).

So I asked VeriSign what their standards were and specifically why they dropped the bomb on Atsiv. Here are some of the things they consider:
  • The name of the code being signed
  • The behavior of the code
  • Methods of distributing the code
  • Disclosures made to recipients of the code
  • Any additional allegations made about the code
Based on my exchanges with VeriSign, it appears they decided Atsiv was malicious and/or harmful based on Microsofts claims that it was and the fact that Microsoft created a Windows Defender signature. Other anti-malware products also have signatures for Atsiv, such as Symantec, and Im pretty sure that Symantec made its classification before Microsoft did. This doesnt make Atsiv malware, but it means that it wasnt bullied into it by Microsoft, as if such a thing were reasonable to suspect. Im sure VeriSign would treat a malware report from Symantec or McAfee with the same urgency and standards as one from Microsoft.

VeriSign could very easily determine on their own that Atsiv is "harmful" if only because its designed to help users bypass the code signing requirement. Its not hard to imagine that VeriSign agrees with Microsoft on the importance of code signing. Add to this the fact that Microsoft and Symantec both consider Atsiv to be malicious and who is VeriSign to disagree?

Finally, as for the idea that Microsoft bullies anyone and everyone to do as they please, I just dont see how it works against VeriSign. Especially with respect to code signing, its VeriSign that has all the leverage in the relationship. Code signing is actually more important as a business to Microsoft than to VeriSign. Im sure VeriSign takes it very seriously and hopes to grow it to be good money, but right now its puny next to its SSL certificate business.

So if you hear about a cert being revoked and want to know whos responsible, the answer is easy. Only the CA can revoke it and you shouldnt bother going any further.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel