Alex Wight wrote: > I have yet to see *any* CA require disclosure by a customer applying for a > code signing cert about what the software does. If there was such a CA then > it wouldn't make sense for the CA to issue them a cert that could be used > over and over again to sign thousands of applications. It would make more > sense for the CA to simply sign the *one* application they required > disclosure for and never give a customer a private key/cert capable of > signing code that wasn't part of the CA's code review process.
VeriSign (and Thawte) have exactly that policy. It would certainly be rough for a software publisher with lots of legitimate signed content if they got theirt certificate revoked for a violation - but then they are not as likely to do it. Having said that I still totally agree with you - I think that is why some mobile phone platforms use an approach where they can revoke individual signed packages in addition to or instead of revoking the identity cert they were published by, I can dig up a link if you want. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
