[Ach] Signing
David Durvaux
david.durvaux at belnet.be
Mon Dec 2 14:15:23 CET 2013
Good to know.
BTW, it's relatively well explained on MSDN:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx
Thanks! :-)
Kr,
David
--
David Durvaux
Belnet CERT
PGP Key Id 0xE84A32A0
Louizalaan 231 Avenue Louise
Brussel 1050 Bruxelles
België Belgique
T: +32 790 33 33
www.belnet.be
On 02 Dec 2013, at 12:34, Adi Kriegisch wrote:
> Hi!
>
>> So, in short, we have another whitepaper to wrote ;)
> :-)
>
>> Ter info, don't know what's your problem with device signing but for security reasons, the recognized CA for drivers is now embedded somewhere in Windows kernel. You cannot change it and it's different from the computer / user CA store. :-S
>>
>> If you didn't have a certificate signed by an authority can sign certificate for use on drivers, you need to boot windows in a development mode where it will basically accept anything :D.
> Fotunately it isn't that bad: You may very well install your own
> certificate authority into "Trusted Publishers" (machine wide, of course).
> Then you only get prompted wether you trust that certificate (and you may
> accept software signed by that publisher forever). The dialog looks ok and
> not like the whole world is on fire... ;-)
> For the signing certificate itself one needs to add
> "extendedKeyUsage = 1.3.6.1.4.1.311.2.1.12" to the openssl.cnf...
>
> -- Adi
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1535 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131202/c9fa3ded/attachment.sig>
More information about the Ach
mailing list