The other consideration is that verifying identity is pointless, because malware authors don't actually use their own identities, they just pull a code signing certificate from the 1% of their already-infected users who have one. Then they go out and infect a million more users with it and get 10,000 more code signing certificates.
If all you're after is some kind of rate limiting then forget about identity verification and just require proof of a unique $500 donation to a 501(c)(3). Not only would it be easier to automate, it would do some good in the world, and people would be a lot happier to see their resources go there than to some box checking bureaucrats.
That doesn't rate limit wealthy attackers, it just locks regular individuals out of the system. Peter Thiel could still buy 10,000 malicious certificates at $500/ea, while I wouldn't even be able to buy one for a simple project.
To be fair, the former isn't really a problem; most malware authors are profit-motivated; they're trying to scam/phish/ransomware/etc people. If you increase their operating costs sufficiently, they'll go away. The ones who can afford to eat certificate costs mostly have nation-state connections they can use to get around identity verification anyway.
That said, the latter part does make this a non-starter, although the same is true of most means of identity verification, which lock out anyone with inadequate identity paperwork.
>That said, the latter part does make this a non-starter, although the same is true of most means of identity verification, which lock out anyone with inadequate identity paperwork.
I get the reasoning of "voter id laws are bad because they disproportionately disenfranchise poor people", but "code signing certificates are bad because they disproportionately disenfranchise poor programmers" doesn't really make any sense. If you know how to program, and you can pony up $300 for the code signing certificate, chances are you probably already have the requisite identity paperwork. On the off chance that you don't, it's no big deal because lots of prominent software aren't signed (eg. 7zip, notepad++), so it's not like you're sticking out by not doing so.
> If you know how to program, and you can pony up $300 for the code signing certificate, chances are you probably already have the requisite identity paperwork.
At a sample size of one (me), this is false in 100% of cases. (To be fair, you did say "chances are" rather than "it is certainly the case that".)
> it's no big deal because lots of prominent software aren't signed (eg. 7zip, notepad++)
Sure, but that's a argument against code signing in general, not fees versus paperwork.
This is why code-signing certificates must be two-factor (e.g. embedded on a PIN secured smartcard where the private-key is protected from extraction by anybody).
My Tucows certificate is still a single *.pfx file - whereas my arguably less-consequential AATL (Adobe PDF signing) certificate is stuck on a crappy USB device that requires me to install marketing-laden software for. I miss my old commodity smartcard-based certificates.
Your computer is unknowingly infected with malware, you go to do an update to your app, you insert your smartcard and enter your PIN, the malware signs the malware author's thing with it.
I understand the PIN is sent directly to the smartcard that performs the signing - not on the host PC - and it's required for each signing operation. So if malware did intercept the signature process and sign itself, I would notice that my originally intended software wasn't signed - that would hopefully be a hint to me that something was amiss and my computer was compromised.
If all you're after is some kind of rate limiting then forget about identity verification and just require proof of a unique $500 donation to a 501(c)(3). Not only would it be easier to automate, it would do some good in the world, and people would be a lot happier to see their resources go there than to some box checking bureaucrats.