Comodo Individual Code Signing – UK Issues

Programmers out there will understand the importance of code signing, to the end user, it stops the yellow untrusted publisher window from appearing when running software, and shows the executable has not been tampered with.

All the utilities on this site are Code Signed, for the last 2 years they were signed by Thawte but they no longer do individual code signing so I had to go with Comodo this year.

My Notarized passport should have been valid for 27 months, but Comodo would not accept it as they had added extra documents to be Notarized.  As there is no standard document for identification requirements (set by the CA Browser Forum), each form is different and each seems to expect their own form to be completed with different requirements even though the main information and purpose are the same. This was mentioned in the CA Browser forum in 2015 as a discussion topic.

It is not cheap to apply for these certificates they cost about $70/year with Comodo, and up to $499/year for Symantec, a bit of disparity in the prices but this is not the issue here.  What they don’t make clear on their websites is the price for validation is not included, which in the UK can be about $140.

kSoftware (a Comodo reseller) offer 3 years @ $209.00, factor in the $140 notary fees then this is $116/year, not the $70/yr advertised.  kSoftware have been very helpful in sorting my issues direly with Comodo, so I highly recommend them.

Tips:

  • Buy a codesigning certificate for as long as you can afford.
  • Notarize the forms they request and get all ID used to attend the Notary copied and certified as a true copy (especially if you are buying the cert for 2 years, as you will have 3 months left on your notarized documents.

I want to be clear that I do understand that there is a lot of fraud with the individual code signing certificates, notarizing documents is essential, but needs to be standardized across the certificate authorities to keep costs down.

UPDATE:

Sent this to questions@cabforum.org on 30 Mar 2018:

2 years ago I purchased a Individual Code Signing certificate from Thawte, on renewal I found they no longer except Individual Code Signing.

On presenting the same Thawte Notorized documents to Comodo, which should have been valid for 27 months, they will not accept it, because they also need a notorized phone bill and bank statement (which was not required by Thawte), this is an extra cost of $140 for notary in the UK.

I have seen this document below

https://cabforum.org/current-work/code-signing-working-group

Could not find the final version, but this does seem to mention standardization.

The expensive parts are the process of validation should be standardized, with proper professional looking fillable pdf forms, at the moment there is no cheap way to buy a 1 or 2 year cert as the documents may not be valid on renewal, even though the docs should be valid for 27 months.

Received this quick response on 30 Mar 2018:

Thank you for contacting the CA/Browser Forum. Currently, the Forum’s scope does not include Code Signing. The document you referenced, although drafted by Forum members, was not passed by the Forum. However, it was adopted by Microsoft as a standard relating to Code Signing Certificates. The latest version of that document is maintained by the CA Security Council here: https://casecurity.org/wp-content/uploads/2017/05/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing-.pdf.

The CA/B forum is undergoing a governance change whereby code signing could be included in a future scope. If the Governance reform ballot passes in the next week, it could be possible that a code signing working group will be formed and will take on this topic in the future.

As a general statement which applies to code signing or TLS certificates, it’s up to each CA to determine document requirements above and beyond a minimum standard.

CABForum

Might help with some of the issues

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.