Vincent Parrett 750 Posted October 4, 2022 10 hours ago, Angus Robertson said: That concept I can live with for a local dongle, the major problem I have is with shipping physical dongles around the world each year to be updated. customs do not like USB keys. I didn't have any issues with that last time.. but that was 3 yrs ago. I'm sure these dongles will be a nice little earner for thales and the CA's - the cost of certificates is already outrageous without the added expense of the dongle. CA's say the cost is for the time spent validating the applicants - my guess is much of that is automated - and they have minimum wage call centers doing the rest. License to print money. 1 Share this post Link to post
A.M. Hoornweg 144 Posted October 5, 2022 19 hours ago, Uwe Raabe said: As far as I understand, the dongle is for the system that does the signing, not the one checking the signed exe. The problem I see is that this completely counterfeits the idea of virtualization when the dongle (or HSM) is hardware bound. I can move around my build server and agents, which are all realized as VM. If my build machine breaks, I can easily set up a new one and continue. In case of a dongle I may be able to move it too, as long as it did survive the fire, flood, earth quake or bomb attack that destroyed the old machine. It creates a new hardware dependency and a single point of failure. In the case of VMWare, the "hardware identity" of the machine is determined by some entries in the *.VMX file which can be manually edited as long as the VM is unencrypted. These entries are "uuid.bios" and "uuid.location". The VM's MAC addresses are also derived from these ID's. It is vital to set uuid.action="keep" if you want to force VMWare to maintain the hardware identity of a VM if it is moved to a different host machine. Share this post Link to post
John R. 18 Posted March 24, 2023 On 10/4/2022 at 11:23 PM, Vincent Parrett said: Thanks. One thing to bear in mind with usb is that it is very sensitve to latency - so not sure how it would work in high latency connections. I have fiber at home and get 6ms pings to the data center where our servers live - which is fine. I suspect anything over 30ms might be a problem for some devices. nSoftware just announced PKI Proxy. I'm still using "old" file-based certificates but it looks like it could be a viable solution: https://www.nsoftware.com/pkiproxy/ Share this post Link to post
Vincent Parrett 750 Posted March 25, 2023 (edited) 10 hours ago, John R. said: nSoftware just announced PKI Proxy looks interesting - but for historical reasons I'll probably not use anything from them (currently working on replacing SBB). Edited March 25, 2023 by Vincent Parrett Share this post Link to post
Anna Shipman 0 Posted May 11, 2023 Yes Indeed from June 2023 onwards just like EV code signing certificates, HSM tokens are mandatory requirement for issuance of Individual Validation Code Signing (IV) and Organisation Validation Code Signing (OV) Certificates. Checkout the key checklist of CA/B forum code signing updates here👉https://signmycode.com/resources/changes-issuing-ov-code-signing-certifificate-from-june-2023 Share this post Link to post