locked
Switching to new certificate and preserving old certificate reputation... RRS feed

  • Question

  • Hi !

    I guess my question relates to https://social.technet.microsoft.com/Forums/ie/en-US/bedf658f-5c72-4a21-a955-09180b9566d2/how-to-know-my-softwares-smartscreen-reputation?forum=w7itprosecurity

    question. 

    In our company we have digitally signed installers. Once in a 3 years certificate expires and we need to purchase new certificate, which in a turn does not have any good reputation, as smart screen sees it first time.

    Certificate company name stays the same, but certificate expiration date changes, causing for smart screen protection to threat certificate as completely new.

    Because of annoying smart screen warning, we've also tried Extended Validation (EV) Code Signing Certificate, but it's based on hardware (it's usb token), and cannot be easily replicated accross multiple build machines.

    There indeed exists such software, for example see:

    https://www.eltima.com/best-usb-over-ethernet-apps/

    https://www.eltima.com/article/security-token-remote-acces/



    but all of them are more or less expensive, and difficult to say how well they scale for multiple build agents.

    Since the same problem manifests once in 3 years - there is clear need to be able to transfer old certificate trust reputation to new certificate - either automatically (e.g. using company name), or manually - from web page - e.g. when smart screen developers provides such functionality.

    Where I can place new requirement to smart screen development team, and observe that it will be implemented by Microsoft ?



    • Edited by Tarmo Pikaro3 Thursday, September 3, 2020 5:45 AM spell check
    Thursday, September 3, 2020 5:18 AM