Allow other Certificates in WinQual (not only Verisign) by Stefan 000000

VERY suspicious. The double talking answers I've seen out there for why winqual does not accept any other CA except VeriSign is a real let down. Give your head a shake, my company has paid for VB6, VS2005, VS2010, Server and a Windows (and office) licence for every user in the company. Then you tell me that I have to go and pay an inflated fee to a specific CA and that I cannot shop around for a CA that I want. Smells of kickbacks or someother nefarious relationship. There's some saying out there about a last straw that comes to mind.

Well I just purchased a brand new “Code Signing (Class 3) Digital ID” from VeriSign specifically for Winqual (we normally use Comodo certificates), and we still receive the following error while uploading the signed Winqual.exe file:
"The Winqual.exe file you uploaded is signed with an invalid digital certificate."

It really does not make any sense not to trust other root certificates like Comodo for Winqual, and really smells like protectionism. I’m sure that if VeriSign had a more neutral relationship with Microsoft this requirement would never have been imposed. This really is a great example of unhealthy mixed interests, and this could be a real treat for an institution like the European commission, if they would care to set their teeth into this. Maybe Microsoft will eventually come-up with Winqual N or K editions?

God only knows why the Microsoft legal department is still not sensitive to these kind of issues.

For an Austrian StartUp it is cumbersome to impossible to get a certificate from VeriSign. VeriSign is not able to accept the proof of identity which are used here (excerpt of commercial register).

Winqual does not trust CAs whose Rootcertificate is contained in the Windows Rootcertificate Store since 2003.
This kind of protectionism feels totally strange to me.

Please change that asap !!!

I think the problem could be solved after another antimonopoly Claim or else. Microsoft won’t do anything without kick in the...

There is a fairly large community facing this limitation.

Here is one set of users:
http://stackoverflow.com/questions/611472/winqual-why-would-wer-not-accept-code-signing-certificates

Please remove this limitation so that software and drivers which really DO pass all of your tests can be said to pass Windows logo testing.

Microsoft - your almost there. Thanks for dropping the Windows 7 logo certification fees but PLEASE allow us to sign our code with a certificate from any valid root CA. Verisign certificates (after the first year discount) are a huge rip-off. Thanks.

This is very curious and frustrating. Obviously for Windows 7 the logo program has undergone massive changes to make it more accessible to smaller software developers, yet this one relic stands in the way of broad adoption of the program. Not only does it not make sense from a product management standpoint, but it is frequently discovered in a very frustrating way - after already investing the time and money in another, more reasonably priced certificate - making the sting of the higher price even more off putting.

And what's worse, the Windows 7 Client Software Logo Toolkit accepts other (non-Verisign) code signing certs as a PASS --- as does Windows Vista/7 UAC --- and nowhere in the documentation does it say "but you won't be able to submit these results without a Verisign cert". This is quite unbelievable.

--Andrew

I am also quite irritated that Microsoft artificially creates monopoly and clearly pushes other companies of the running.

Personally, I would really like to have my software certified, but I am not able to get certificate from Verisign, even I have a valid code signing certificate from Thawte, which is generally also considered as a trusted authority. As a result, I am out of the game just for this foolish limitation.

Hello,

Thank you for your feedback.

We are aware of it and it may be incorporated in future programs.

Best Regards
Windows 7 Software Logo Team

Clearly, Microsoft can offer no reason why its Winqual team should not endure the inconvenience of adding additional "Trusted Root Certificate Authorities" to its authentication system. The most common vendors providing certs for Microsoft Authenticode should be supported: Thawte, Comodo, etc.

By ignoring this issue, the Winqual team seems to suggest that the quality of Windows applications is less important than protecting the revenue of a certificate authority that just *might* be over-priced.

see also: http://stackoverflow.com/questions/611472/winqual-why-would-wer-not-accept-code-signing-certificates