zlacker

[parent] [thread] 4 comments
1. pintxo+(OP)[view] [source] 2022-03-05 13:08:32
Is there any proof that most others store their certificates on hardware?
replies(3): >>gruez+Za >>Genbox+Xb >>native+fB
2. gruez+Za[view] [source] 2022-03-05 14:32:21
>>pintxo+(OP)
Hardware tokens are mandated for EV code signing certificates[1], but not for regular certificates. However, the certificate was from a while ago so that requirement probably wasn't a thing back then.

[1] https://www.digicert.com/signing/code-signing-certificates "REQUIRES TWO-FACTOR AUTHENTICATION USING HARDWARE TOKEN"

3. Genbox+Xb[view] [source] 2022-03-05 14:40:14
>>pintxo+(OP)
What gruez said is correct. Hardware token have been mandated for EV certificates for a long time by providers to prevent leaks.

I'll also add that Amazon Key Management Service, Azure Key Vault, and Google Key Management Service store several hundred million private keys combined with no leaks so far (they are non-exportable and access is audited)

It is very rare that we see malware signed by a publisher's certificate, which is why it is in the news every time it happens.

replies(1): >>hulitu+2i3
4. native+fB[view] [source] 2022-03-05 17:22:03
>>pintxo+(OP)
I bought a Windows EV code signing cert just months ago. It comes in the form of a password protected USB token.
◧◩
5. hulitu+2i3[view] [source] [discussion] 2022-03-06 18:39:02
>>Genbox+Xb
No leaks does not imply security.
[go to top]