1

Topic: What now a situation with not-EV-certificates?

By winter-spring of judgement were divided: one wrote that under all Win10 the units signed not-EV-certificates are normally loaded, and others - that in mode Secure Boot the system accepts only EV-certificates. Since then something changed? At me process of obtaining of the EV-certificate on  - the unique lawyer in Novosibirsk which agreed to sign the document from DigiCert till now is pulled, this office as a result rejected, money is spent for nothing, now I try a variant with the publication on Google My Business. If it appears that the EV-certificate actually not so is mandatory, as MS explained one year ago - with big pleasure I will throw this occupation, and the purchase the normal.

2

Re: What now a situation with not-EV-certificates?

Hello, Evgenie Muzychenko, you wrote: I eat> with Winter-spring of judgement were divided: one wrote that under all Win10 the units signed not-EV-certificates are normally loaded, and others - that in mode Secure Boot the system accepts only EV-certificates. I eat> Since then something changed? I eat> At me till now process of obtaining of the EV-certificate on  - the unique lawyer in Novosibirsk which agreed to sign the document from DigiCert is pulled, this office as a result rejected, money is spent for nothing, now I try a variant with the publication on Google My Business. I eat> If it appears that the EV-certificate actually not so is mandatory, as MS explained one year ago - with big pleasure I will throw this occupation, and the purchase the normal. Itself did not test, therefore I recommend to concern my words with care. But last that I read on this subject, did not do any distinctions between normal and the EV-certificate from the point of view of a validity of the signature. In other words, if EV approaches, also normal approaches. A problem that now both of them approach not always. Namely, at included Secure Boot the Windows will demand, that drivers have been signed Microsoft th (eliminating what are collected and-or signed before announcement of these changes). And here is how time to send the driver for the signature to Microsoft, it is necessary to send the driver through a sysdev-portal, and for this purpose, in turn, it is necessary to have the EV-certificate which the sent CAB-archive subscribes.

3

Re: What now a situation with not-EV-certificates?

Hello, CaptainFlint, you wrote: CF> at included Secure Boot the Windows will demand, that drivers have been signed Microsoft th It is changeover former cross-signing certificate from MS, or addition to it? CF> it is necessary to send the driver through a sysdev-portal, and for this purpose, in turn, it is necessary to have the EV-certificate About as. And I considered that now all drivers for ten need to be signed through sysdev...

4

Re: What now a situation with not-EV-certificates?

Hello, Evgenie Muzychenko, you wrote: CF>> at included Secure Boot the Windows will demand, that drivers have been signed Microsoft th I eat> It is changeover former cross-signing certificate from MS, or addition to it? More likely, addition. Old cross-signed drivers will continue to be loaded, it provides backward compatibility of a software/iron. Svezhesobrannye drivers should be signed through sysdev. Plus was mentioned a compatibility mode (a key in the register) which is activated at an upgrade 7-8 on 10, but misses in ten, installed absolutely. If this mode is included, the cross drivers continue to be loaded. At least, it affirmed with representative MS on the presentation devoted to changes the politician of the signature. CF>> it is necessary to send the driver through a sysdev-portal, and for this purpose, in turn, it is necessary to have the EV-certificate I eat> About as. And I considered that now all drivers for ten need to be signed through sysdev. . Well, actually, so it also is, only send on sysdev not the bare driver, and signed by your key. On OSR wrote that MS does not replace the signature at the driver, and adds the (replaces only at the directory for its format does not support some signatures).

5

Re: What now a situation with not-EV-certificates?

Hello, Evgenie Muzychenko, you wrote: I eat> with Winter-spring of judgement were divided: one wrote that under all Win10 the units signed not-EV-certificates are normally loaded, and others - that in mode Secure Boot the system accepts only EV-certificates. I eat> Since then something changed? At me last insider  Windows 10 with included Secure Boot ("pure setting"), any more do not load the drivers signed by the old certificate (error 577 and so on). In Server 2016 promise that will not be loaded neither SHA-1-Standard, nor SHA-2-EV. The last experiments on Technical-Preview---- confirm it. Still say that on ten  switching-on Device Guard then the system accepts only the drivers signed through sysdev is possible. More shortly, put rubbish. To open  or Open Company to buy the certificate is a delirium, I consider. And all old  type atsiv or dsefix all will be loaded also in a kernel without any certificates - here it is insulting. I eat> At me till now process of obtaining of the EV-certificate on  - the unique lawyer in Novosibirsk which agreed to sign the document from DigiCert is pulled, this office as a result rejected, money is spent for nothing, now I try a variant with the publication on Google My Business. Dialogue with DigiCert occupied From us three months and in what good as a result did not result. Bought two certificates at GlobalSign, one EV-shnyj, the second Standard-SHA1. Yes, expensively, but quickly and without moronic troubles. I eat> If it appears that the EV-certificate actually not so is mandatory, as MS explained one year ago - with big pleasure I will throw this occupation, and the purchase the normal. MS showed a master class on a tangling in this question, anybody plainly does not know, when EV becomes mandatory without variants, they, probably, yet do not know...

6

Re: What now a situation with not-EV-certificates?

Hello, okman, you wrote: O> In Server 2016 promise that will not be loaded neither SHA-1-Standard, nor SHA-2-EV. In sense - at independent (without sysdev) signing? O> to open  or Open Company to buy the certificate is a delirium, I consider. , as a matter of fact, and it is not necessary to open - filled on a site the form by means of local , unpacked, handed over in tax together with the notification message about passage to a simplified tax system, in some days received the certificate. It from Open Company will be hemorrhoids on an output of money, and with  all is now valid simply. O> and all old  type atsiv or dsefix all will be loaded also in a kernel without any certificates - here it is insulting. So, it is clear that all this fuss is started first of all on purpose "rather fair  money", and safety - simply convenient cover. O> dialogue with DigiCert occupied from us three months and in what good as a result did not result. And at you what problems were? O> Bought two certificates at GlobalSign, one EV-shnyj, the second Standard-SHA1. Yes, expensively, but quickly and without O> moronic troubles. I still will undergo couple of weeks, and then I will send them if does not grow together. I to them, actually, went only because MS to them like as has a kind feeling, well and a discount of 50 % for developers of drivers too not the superfluous.

7

Re: What now a situation with not-EV-certificates?

Hello, Evgenie Muzychenko, you wrote: O>> In Server 2016 promise that will not be loaded neither SHA-1-Standard, nor SHA-2-EV. I eat> In sense - at independent (without sysdev) signing? And at sysdev too the Reference I can not find yet, but there wrote that Windows Server 2016 will accept only drivers which transited HLK-tests. That is, probably, the sequence of "signing" of the driver under this edition Win will look somehow so: we put Hardware Logo Kit, we are tested, we receive a file with results, we sign it EV-shnym  and it is sent in Microsoft. There they  the driver, sign the  and return back. A-lja WHQL. O>> dialogue with DigiCert occupied From us three months and in what good as a result did not result. I eat> And at you what problems were? At first, very long. Three months for purchase of any certificate is a search. The person who with them communicated, complained that to it was necessary to transit a heap of any bureaucratic procedures which anywhere, except as in DigiCert, no, well, etc. And as a result refused certificate output, referred on  on any ' security criteria '. I any more do not remember Accurate information. Secondly, they strange, these DigiCert. My acquaintance opened , bought from them  very quickly. Then they a month later called it and withdrew , returning money, also referred to any trust relationships policies, etc. an USB-token, at a logging in it is necessary to enter into which each time PIN is one more . At us developers are scattered on all the CIS, and a token one. On RDP it normally does not work, PIN it is possible to enter only in local session.

8

Re: What now a situation with not-EV-certificates?

Hello, okman, you wrote: O> the Reference I can not find yet, but there wrote that Windows Server 2016 will accept O> only drivers which transited HLK-tests. Here there is a mention: https://www.osr.com/blog/2016/06/02/dri … ls-emerge/ It seems that this restriction will be all the same only for Secure Boot. Anyway, in TP5, installed without Secure Boot, normal a cross connect-signed drivers are loaded on hurrah, yesterday checked up. O> that is, probably, the sequence of "signing" of the driver under this edition Win O> will look somehow so: we put Hardware Logo Kit, we are tested, we receive O> a file with results, we sign it EV-shnym  and it is sent in Microsoft. O> there they  the driver, sign the  and return back. O> A-lja WHQL. And there are differences from "present" WHQL? Procedure paid? O> an USB-token, at a logging in it is necessary to enter into which each time PIN is O> one more . At us developers are scattered on all the CIS, and a token one. O> On RDP it normally does not work, PIN it is possible to enter only in local session. Probably, it is useful, on SO gave a reference: https://www.signserver.org/the HTTP-server accepting a file, signing its token, and sending back. Itself, truth, did not work with it, by then, as learned about its existence, itself the similar decision .

9

Re: What now a situation with not-EV-certificates?

Hello, CaptainFlint, you wrote: CF> And there are differences from "present" WHQL? Procedure paid? Promise that will be free, also as well as signing on sysdev. With WHQL it is difficult to compare, I know about it only by hearsay

10

Re: What now a situation with not-EV-certificates?

Hello, okman, you wrote: O> the Person who with them communicated, complained, what to it was necessary to transit a heap of everyones O> bureaucratic procedures which anywhere, except as in DigiCert, are not present concerning EV-certificates is not present, or normal? With normal all was simple. O> and as a result certificate output refused, referred on  on any O> ' security criteria '. Criteria at them indeed very strange - such impression that they stupidly transfer the American realities on any other country, without investigating in particular. For example, demand the lawyer for identification of the person and documents, and on notaries and do not want to hear. Certainly, any made our lawyer does not undertake this procedure. O> my acquaintance opened , bought from them  O> very quickly. Then they a month later called it and withdrew , returning money, O> also referred to any trust relationships policies, etc. It not with whom you corresponded on WASM? If yes, he there somehow strange itself(himself) moved - at first painted, as all is simple and healthy, and then did not begin to mention it in a subject (we with it corresponded in ). How much I understood, it does any programs of hacker type - could not withdraw the certificate, finding out signed by it one of such programs? O> an USB-token, at a logging in it is necessary to enter into which each time PIN is O> one more . Unless someone gives EV-certificates in the form of normal files? I so understood that this general requirement to the certificate, instead of condition DigiCert.

11

Re: What now a situation with not-EV-certificates?

I was tired to wait for the month sent more back the letter from Google, to activate My Business which demanded DigiCert for EV-certificate obtaining on . Ordered at DigiCert normal Code Signing, from 50 % a discount for developers (sysdev) - $267 for three years. Somewhere an hour later they sent the letter with instructions on , in an hour called by phone and asked to include Skype, there I showed them the Russian passport, pair of bank cards and the certificate on divorce (the account for the electric power, water or something similar would fit also, but I for all cry electronically, papers any are not present). Through a pair of clocks sent the certificate notification of the readiness. Probably, so quickly all worked because  all my documents at them lie from the end of April when I tried to receive EV. With SHA256, it is possible to sign the certificate both with SHA256, and with SHA1. Delivered April distribution kit Win10 Pro x64 - it normally loads the drivers signed both SHA256, and SHA1 (as well as it was promised, however). On server to ten my drivers hardly will use actively. The seven takes SHA256 if fixes KB3035131/KB3033929 are installed. From the personal data in the certificate supposed only , a city and the country. But I specially notified them that to the specified address there is no generally available business, and the address/phone are traded on only. In general, it is possible while to live so, and there or the donkey dies, or that happens to the emir...