The SubCAs for Windows 5.01 (XP) to 6.03 (Eight point One) kernel mode
signing are all 10 year cross-certs from a dedicated single-purpose
Microsoft root CA to well known roots from companies like Symantec and
GlobalSign.
They can (or could) be downloaded from a Microsoft support page, I know
of 6 that expired in 2016, 19 that will expire in 2021 and 4 that will
expire in 2023.
The issuing 20 year root is
http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt
CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond,
ST=Washington, C=US
SHA1 Fingerprint=8F:BE:4D:07:0E:F8:AB:1B:CC:AF:2A:9D:5C:CA:E7:28:2A:2C:66:B3
The relevant root store contains *only* this root, so the issuing (and
possible revocation) of the SubCA/crosscerts acts as a dedicated root
program more restrictive than the normal Microsoft root program. Chain
validation is often done during boot before TCP/IP is up and running
(even the network drivers are signed with this), so there is no AIA or
OCSP available. Pre-download CRLs could be checked, but I don't know if
they do that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded