Code Signing Certificate Options

Question

I've been assigned the task of buying a digital certificate for my company to sign our code. We develop applications in the Microsoft space - mostly WPF or Web Based.

I've investigated options and found Comodo to be well priced and responsive, and we're ready to go ahead and purchase a cert through them.. however in the signup form there are various private key options that I'm not too sure about, namely:

1. CSP

   • Microsoft Base Cryptographic Provider
   • Microsoft Base Smart Card Crypto Provider
   • Microsoft Enhanced Cryptographic Provider v1.0
   • Microsoft Software Cryptographic Provider

2. Key Size

   • 1024
   • 2048
   • 4096

3. Exportable?

   • Yes / No

4. User Protected?

   • Yes / No

Just wondering what all of this means, and what the best options are for our requirements? Any advice/ suggestions would be appreciated

thanks heaps Greg

Answer 1

hmmm... first time i've ever posted a question here and not received a question... does this mean nobody knows anything about what I'm asking??

Answer 2

For "most purposes" the following options are recommended:

Microsoft Base Cryptographic Provider Key Size: 2048 Exportable: Yes User Protected: Yes

To be honest, I'm not familiar with the different CSPs, but the Base does the job every time for me.

Key Size makes the keys harder to crack, but more than 2048-bits for a short to medium term key (3-5 years) is ample (IMHO).

Exportable lets you export the private key/certificate pair - essential for backing it up!

User Protected means that you must enter a password everytime that you want to use the cert - highly recommended to prevent accidental or malicious signing of code with your certificate.

Hope this helps.

Answer 3

Historically, the "base" cryptographic provider had an artificial limitation on key lengths, and the "enhanced" provider had the limit removed. This allowed Microsoft to comply with US export laws, removing the enhanced provider in certain versions.

Apparently, with the changes to export law, Microsoft has removed the limitation from the base provider, allowing longer key lengths as well (but has kept the name for compatibility)

Answer 4

This is slightly off topic, but you can buy code signing certificates from Tucows.com for $75/yr. They resell Comodo certificates for a steep discount off buying Comodo certs directly.

See this link: http://www.wintellect.com/cs/blogs/jrobbins/archive/2007/12/21/code-signing-it-s-cheaper-and-easier-than-you-thought.aspx