Whos In Charge of Code Signing?

Opinion: It's the certificate authority, VeriSign being the biggie, that makes these decisions. Microsoft doesn't pull the strings behind these entities.

When a code signing signature is revoked, who revokes it? The certificate authority, of course. Obvious, one would think, unless the evil presence of Microsoft is detected. At that point, some think, everyone elses free will melts away and they do Redmonds bidding irrespective of their own interests.

So it was in the case of Atsiv. I beat this story to death in a prior column and not one, but two blogs. But the short summary of it is that 64-bit Vista requires that kernel code, including device drivers, be digitally signed with a code signing certificate issued by a trusted certificate authority. Linchpin Labs wrote Atsiv, a program which uses a custom loader to load unsigned drivers into kernel space. Microsoft responded by "working with VeriSign" to revoke the certificate and by adding a signature to Windows Defender for Atsiv, effectively declaring it to be malware.

/zimages/1/28571.gifThe shutdown of Vista validation under Microsofts Windows Genuine Advantage program has been fixed. Click here to read more.

The actual language Microsoft used about the revocation of the certificate was this:

Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid. And yet I have read in several places, including from Linchpin Labs themselves, about how Microsoft revoked the certificate: "the fact Microsoft has taken it upon itself to revoke the Atsiv certificate based on its own definition for malware sets a concerning precedent, one that should not be ignored."

The fact is that anyone can rat out anyone else for abuse of a code signing certificate by filling out the form on this page. And according to VeriSign, this is exactly what Microsoft did. Someone from Microsoft filled out this specific form, and they took action on it.

VeriSign admits, as anyone might have guessed, that the fact that the report came from Microsoft got their attention. This might have put this report at the front of the queue, but did it change the standards against which Atsiv was judged? Come to think of it, what are those standards? The form itself gives vague guidelines about code being "malicious" or "harmful," and a few specific examples (spyware, phishing, MITM, misleading descriptions).

So I asked VeriSign what their standards were and specifically why they dropped the bomb on Atsiv. Here are some of the things they consider:

  • The name of the code being signed
  • The behavior of the code
  • Methods of distributing the code
  • Disclosures made to recipients of the code
  • Any additional allegations made about the code
Based on my exchanges with VeriSign, it appears they decided Atsiv was malicious and/or harmful based on Microsofts claims that it was and the fact that Microsoft created a Windows Defender signature. Other anti-malware products also have signatures for Atsiv, such as Symantec, and Im pretty sure that Symantec made its classification before Microsoft did. This doesnt make Atsiv malware, but it means that it wasnt bullied into it by Microsoft, as if such a thing were reasonable to suspect. Im sure VeriSign would treat a malware report from Symantec or McAfee with the same urgency and standards as one from Microsoft.

VeriSign could very easily determine on their own that Atsiv is "harmful" if only because its designed to help users bypass the code signing requirement. Its not hard to imagine that VeriSign agrees with Microsoft on the importance of code signing. Add to this the fact that Microsoft and Symantec both consider Atsiv to be malicious and who is VeriSign to disagree?

Finally, as for the idea that Microsoft bullies anyone and everyone to do as they please, I just dont see how it works against VeriSign. Especially with respect to code signing, its VeriSign that has all the leverage in the relationship. Code signing is actually more important as a business to Microsoft than to VeriSign. Im sure VeriSign takes it very seriously and hopes to grow it to be good money, but right now its puny next to its SSL certificate business.

So if you hear about a cert being revoked and want to know whos responsible, the answer is easy. Only the CA can revoke it and you shouldnt bother going any further.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer