Root Causes 248: Azure Code Signing Announced

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  This is probably a relatively simple story, but we have an announcement. We like to cover industry news and in particular, I am looking at a blog post from Microsoft that was published on September 14. The title of which is Azure Code Signing Democratizing Trust for Developers and Consumers. So, that’s how you look it up.

  And the gist of it is that Microsoft has announced that it will be deploying a code signing solution inside of the Azure environment so that as you deploy and run Azure code, code in Azure, you can actually deploy your code, you can sign your code directly inside of the service as part of the service.

  It is currently just announced. It is not even in preview mode or I think it might be in very preview mode but it’s not really this isn’t a live deployed thing yet but Microsoft is letting us all know that it is coming.

• 

  Jason Soroko

  It’s great. I can tell you that I’ve got a longer history than I care to admit of being in the Microsoft world and, I’ve programmed under the Microsoft stack for a long time and that was sort of a world before hardcore PKI and security were my main focus and I can tell you that it does not surprise me that Microsoft has done this in order to make life easier for developers.

  So, first point, once again, bravo Microsoft. It's one of the things you guys do so well, which is to ingratiate yourself to the developer community and to build tools that make a developer’s life easier. If you think about code signing, when the baby is born out of the developer’s mind and the code is complete, signing that code is – Tim, we’ve talked about it numerous times - code signing is a good idea.

  And Microsoft here is basically allowing developers to do, is to make sure that none of their resources – files, certificates, etc. – ever leaves their environment. It’s a good thing. And, Tim, I think the other big, big bullet point and this is the one that I know you’ll chime in on - certificate lifecycle management. They’re formalizing it within an environment that developers are working in directly. So, the idea that you don’t have to specifically protect or manage the certificates, the ability to revoke is right there; these are the things that Microsoft has in their blog post and that they are talking about. So, once again, bravo Microsoft putting certificate lifecycle management exactly where it needs to be. I think it’s all good.

• 

  Tim Callan

  And that’s one of the power, I think one of the powers you have of just kind of a public cloud environment is you can do this kind of thing. And by way, the same is true I think for TLS certificates. They can completely control that environment. They are a CA. Microsoft is a public CA and so they are issuing off the Microsoft root. They will give you these code signing certificates for you in that environment. They are entirely in control of it. They are in control of the private key. They are in control of the certificates installation and use and they are in a position to technically ensure that every aspect of that trust lifecycle, if you will, is implemented correctly. Not just technically correctly but follows proper procedure and, certs never fall into the wrong hands and all of that stuff is well within their control because they control this entire environment and that’s one of the advantages that a public cloud environment can have and you see that at work here.

• 

  Jason Soroko

  Exactly, Tim. They have six big bullet points and one of them is Secure and Compliant - Meets web trust certification included in the Microsoft Root Certificate Program. So, there’s a lot there just in that statement. We know from the PKI industry what that takes but then when you combine that, which is something might not be at the top of mind of every of PKI practitioner, but one of the other big bullet points. Seamless Experience - Provides a seamless experience by integrating into the leading developer toolsets. That’s phenomenal.

  Tim, in our product roadmaps and things that we work on integrations and bringing together tools, reducing friction, making the life of the practitioner who is actually doing these things - even if they are not a PKI specialist – bringing it into their toolsets. Reducing the number of specialized toolsets and bringing it into the toolsets that these people use the most. That’s a phenomenal story that I hope continues in the industry and I don’t think anybody does it better than Microsoft – as I say, to brings tools to the developer that developers love and live in and then to integrate important functionalities directly to them so they can truly live in that environment.

• 

  Tim Callan

  Since you are calling out those bullets, actually I’ll call out two more. One of them which is Fully Managed. So, that’s probably pretty self-evident but to quote a little bit “certificates are issued from Microsoft managed CA and subsequently protected and managed by the service.” So, again, this goes back to your significant management point.

  The other one that I want to call out is Fast Remediation Options - Ability to quickly detect, investigate, revoke certificates on improper use. So, they are trying to offer – this is what we talk about as certificate lifecycle management. This is Microsoft acknowledging that certificate lifecycle management is a very important aspect of certificates. To the degree that they are building it directly into their public cloud service because they understand that these things are painful and that these things are important and that these things are easily misunderstood or easily gone wrong and that the consequences of getting them wrong can be very bad. So, as much as they can, Microsoft is trying to take that out of the hands of the individual developer and that’s why.

• 

  Jason Soroko

  Tim, in fact, yes, you are right. It is in a private preview and Microsoft is being very responsible here. We call this out in this podcast not because everybody can touch it. You’ve gotta have 3+ years of verifiable business history according to the blog and that’s very responsible on the part of Microsoft because code signing really should be done by people that you can vet. I think it’s impossible to completely do that, as we know, in the industry; but I think that this is the right way to go about it. So, all the way around, great blog post from Microsoft and short and sweet from them – just like this podcast that’s announcing it. Good for them. It’s the bringing together, Tim, of CLM exactly where it needs to be.

• 

  Tim Callan

  Cool. So, this is coming. So private preview is launching really any time now and then from there, there is an unknown timeline during which it will be expanded to general availability. But that’s something for us to watch for.

• 

  Jason Soroko

  As this spreads across the industry, now that Microsoft has done it you are probably gonna see it in other places. We will call it out and we’ll see how it develops and changes and transforms and is used and, if there’s problems, we will talk about that, too, but we will keep you updated.

• 

  Tim Callan

  That’s worth noting that both Amazon and Google – now that you bring that up, Jay – both Amazon and Google are also public CAs.

  So, they have the capability of doing the same thing and they both do issue TLS certificates now. So, we’ve talked in the past about how the public cloud between those three providers, those three big providers is this incredible battle – this market share battle – and you gotta imagine that the others are gonna take note of this and something similar may go onto their roadmaps as well.

• 

  Jason Soroko

  Doesn’t surprise me. Just a little bit of industry speak here, Microsoft, of course, with Visual Studio and the way the teams collaborate within that and their investments in GitHub, it shows you somebody at Microsoft is really thinking hard right through this.

• 

  Tim Callan

  And to your point with Microsoft’s history with developers, it’s not really surprising to see them the first one to make this kind of move.

• 

  Jason Soroko

  This is not surprising to me at all. In fact, when you sent this to me, Tim, and I first saw it, I was like well of course.

• 

  Tim Callan

  Didn’t they do that already?

• 

  Jason Soroko

  I thought to myself if I was living in this world back in the day if anybody but Microsoft would have come up with this first I would have been shocked. So, anyway, good on them.