So it was in the case of Atsiv. I beat this story to death in a prior column and not one, but two blogs. But the short summary of it is that 64-bit Vista requires that kernel code, including device drivers, be digitally signed with a code signing certificate issued by a trusted certificate authority. Linchpin Labs wrote Atsiv, a program which uses a custom loader to load unsigned drivers into kernel space. Microsoft responded by "working with VeriSign" to revoke the certificate and by adding a signature to Windows Defender for Atsiv, effectively declaring it to be malware.
The actual language Microsoft used about the revocation of the certificate was this:
The fact is that anyone can rat out anyone else for abuse of a code signing certificate by filling out the form on this page. And according to VeriSign, this is exactly what Microsoft did. Someone from Microsoft filled out this specific form, and they took action on it.
VeriSign admits, as anyone might have guessed, that the fact that the report came from Microsoft got their attention. This might have put this report at the front of the queue, but did it change the standards against which Atsiv was judged? Come to think of it, what are those standards? The form itself gives vague guidelines about code being "malicious" or "harmful," and a few specific examples (spyware, phishing, MITM, misleading descriptions).
So I asked VeriSign what their standards were and specifically why they dropped the bomb on Atsiv. Here are some of the things they consider:
- The name of the code being signed
- The behavior of the code
- Methods of distributing the code
- Disclosures made to recipients of the code
- Any additional allegations made about the code
VeriSign could very easily determine on their own that Atsiv is "harmful" if only because its designed to help users bypass the code signing requirement. Its not hard to imagine that VeriSign agrees with Microsoft on the importance of code signing. Add to this the fact that Microsoft and Symantec both consider Atsiv to be malicious and who is VeriSign to disagree?
Finally, as for the idea that Microsoft bullies anyone and everyone to do as they please, I just dont see how it works against VeriSign. Especially with respect to code signing, its VeriSign that has all the leverage in the relationship. Code signing is actually more important as a business to Microsoft than to VeriSign. Im sure VeriSign takes it very seriously and hopes to grow it to be good money, but right now its puny next to its SSL certificate business.
So if you hear about a cert being revoked and want to know whos responsible, the answer is easy. Only the CA can revoke it and you shouldnt bother going any further.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer