Please work with your auditor to make sure the Qualifying Attestation Letter fulfills the following requirements. If the audit letter fails in any of these categories, a mail will be sent back to the CA asking them to update their audit letter. For each of the EKUs on the left, Microsoft requires an audit that conforms to the standard marked. Microsoft will now be requiring the WebTrust Trust Services Principles and Criteria for Certification Authorities -- Code Signing for any audit statements with periods commencing on or after January 1, If a CA has the code signing EKU enabled on a root but is not actively issuing code signing certificates, they may reach out the msroot microsoft.
The Government CA can then operate without limiting the certificates it issues. The audit has two purposes: 1 to demonstrate that the Government CA complies with local laws and regulations related to certificate authority operation, and 2 to demonstrate that the audit substantially complies with the relevant WebTrust or ETSI standard. Government CAs that issue server authentication certificates must limit the root to government-controlled domains.
Governments must limit the issuance of any other certificates to ISO country codes that the country has sovereign control over. Government CAs must also accept and adopt the appropriate, CAB forum baseline requirements for CAs based on the type of certificates the root issues. However, the Program Requirements and Audit Requirements supersede those requirements in any aspect in which they are in conflict.
All Government CAs that are part of the Program prior to June 1, will be subject to the above EA requirements immediately upon expiration of their then-current audit. Microsoft requires all Government CAs that submit an EA to provide an attestation letter from the auditor that:.
Skip to main content. This release will add 7 new roots:. Finally, 9 roots will be removed that were disabled during September release and do not have code sign or time stamp EKUs. The roots that will be removed are. On September 29, , Microsoft released its planned quarterly-update to the Microsoft Trusted Root Program that included adding 14 new roots, and modifying capabilities for 29 other roots.
This release will add new roots for Digicert Hotspot 2. Unlike past releases, however, Microsoft is implementing new functionality in Windows 10 that allows us to remove these roots while leaving existing Authenticode certificates as valid. Microsoft will release these changes such that Windows 10 devices running the upcoming summer update will stop accepting the removed EKUs, but, in the event that the root is cross signed by another valid root, the OS will validate the certificate using the valid roots.
The update package is available for download and testing at. This update includes adding new partner roots, updating existing roots, and removing certain roots. For the most-current list of Program participants and enrolled roots, please see Microsoft Trusted Root Certificate Program Participants. The focus of this release is to remove roots are out of compliance with the Program rules. The roots below are currently subject to removal. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within 24 hours of the exception being denied.
CAs must provide a business justification for all of the EKUs assigned to their root certificate. Justification may be in the form of public evidence of a current business of issuing certificates of a type or types, or a business plan demonstrating an intention to issue those certificates in the near term within one year of root certificate distribution by the Program.
Windows 10 has heightened requirements to validate kernel-mode drivers. Drivers must be signed by both Microsoft and a Program partner using Extended Validation requirements. All developers who wish to have their kernel-mode drivers included in Windows must follow the procedures outlined by the Microsoft Hardware Development Team.
Program documentation can be found here. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.
0コメント