[Cscwg-public] Emails in code signing certificates
Mike Reilly (SECURITY)
Mike.Reilly at microsoft.com
Thu Aug 12 20:05:41 UTC 2021
Hi Tim and CSWG members. I checked internally and I'm not aware of any other use by Microsoft of the email address associated with the subject of the code signing cert. SmartScreen does not use it for filtering. However, we have seen known malicious certificates that claim to be owned by businesses where the Subject Alternative Name either contains no email or it contains an email that does not appear to be affiliated with the business (the domains are completely different). So the CSWG may want to discuss this further. Thanks, Mike
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Tim Hollebeek via Cscwg-public
Sent: Tuesday, August 10, 2021 9:21 AM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL] [Cscwg-public] Emails in code signing certificates
Hello,
We have a question for Microsoft that came up internally, but I'm sure it's of broader interest so I thought it would be more useful to ask it publicly. We know Microsoft does display the email address associated with the subject of a code signing certificate in their "Digital Signature Details" page, but does Microsoft use the associated email in any other way? For example, does it factor in any way into SmartScreen filtering?
-Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210812/728b91c2/attachment.html>
More information about the Cscwg-public
mailing list