WinQual: Why would WER not accept code-signing certificates?

I just signed up to WinQual, and I've been contemplating this question; I think I now have the answer.

In short: They aren't using VeriSign as a certificate at all: They are just outsourcing the task of verifying your identity.

Microsoft doesn't want you to have access to the WinQual site without first verifying your identity. So they need an identification verification process.

They could have a department that charges you $99, and does the verification. But they already have significant holdings in VeriSign, which already has staff that can do that. So they use the process of signing up for the certificate to verify your identity. It's not using the certificate at all, it's just entrusting VeriSign with the task of verifying you.

Note that they don't require you to continue to maintain a VeriSign certificate to keep your account: it's just a once off fee for joining the site.

Because this is a case of Microsoft verifying your identity, and they trust VeriSign because they have their fingers in that pie, and they don't trust Comodo so much, they want you to use VeriSign for this purpose, not any other certificate. It seems a bit silly from the developer's point of view, but I can understand it from their perspective.


Having done Code Signing and recently Winqual sign-up, here are some clarifications:

  1. For Winqual sign-up (registration), your signature itself is not checked against the Winqual database. Winqual only checks the certificate from VeriSign that proves that VeriSign checked your identity. Then they get your company name from your signature.

  2. In the next step, you have to create one or more "product mapping files" (using a tool from Microsoft) and upload these to Winqual. After that, the Winqual servers check several terabytes of crash database against all map files and provide you with a list of "events". (Which signature you used for code signing is therefore pretty irrelevant.)

  3. There is no technical reason why Microsoft could not accept other Certification Authorities, too. But: how would they benefit from doing so? Also there is a special-offer programme to obtain a one-year code signing certificate from VeriSign for just $99, and if you compare this to the cost of a development tool chain or an MSDN/TechNet membership, it's not exactly expensive.

  4. In our case, getting the certificate from VeriSign was straightforward and very fast - the whole process completed within two days. (We are not in the U.S., so I expected delays.) [Just for clarification: you generate your signature yourself, and it consists of a company_private_key (used for signing) and a company_public_key (for verifying your code signature). Any Certification Authority (like VeriSign) just counter-signs your company_public_key with their private key. This makes your certificate verifiable.]

  5. We did not know that the VeriSign $99 certificate could be used for code signing, too (it is not only an organizational ID). So initially we went for another CA for Code Signing. Then we got a VeriSign cert for Winqual registration.

  6. Microsoft publishes on WHDC and Winqual the information which signature providers are accepted for what type of signing. You can't really blame them for yourself not reading this before getting a certificate from another CA, can you?

Hope this may help to shed some light.


Well, I just posted another request basically telling them we will not participate unless they accept Comodo Code Signing cert.

Microsoft contacted us to tell us we have reports on Windows 7 they want us to look at, but we can't sign in because we don't use Verisign. Ok, YOU contacted me... How much more authenticated do I need to be?

I have contacted the product manager, we'll see what happens.

And to answer your semi-rhetorical question above - there is NO reason why they can't authenticate other signed EXEs. Windows does it, IE does it, the code is already in there. They don't have to do anything special to support it.

UPDATE:

After speaking with the Microsoft rep I was told point blank that you must purchase at a minimum the $99 versign cert in order to "validate" and get your bug reports. Lame.