Com Add-Ins using Trusted Publisher for Security

[JGlowski]

I'm developing COM add-in solutions for my company using VB.NEt in VS2005 and
VSTO. My company set up it's own CA certificate. I have a Trusted Publisher
certificate issued from that CA. I have the project signed with my
certificate and have installed it on other machines. It runs fine as long as
I add Trust for my Trusted Publisher certificate to .NET's Runtime Security
Policity at Machine-> Code Groups-> All Code -> My_Computer_Zone on the
user's computer.

Here's the Question:
The CA certificate is on all the company computers and can be seen from
Certificates-Current User-> Trusted Root Certificate Authorites->
Certificates.
If the Certificate Authority is already trusted by the computer then why do
I still have to explicitly grant my Trusted Publisher certificate trust? I
thought that was the purpose of needing it to be issued by a Certifate
Authority.

Thanks

 

[BeThePKI]

This is an excellent question. The Enhanced Key Usage field in the code
signing certificate contains the "Code Signing (1.3.6.1.5.5.7.3.3)" OID and
it is from a publisher you trust so why isn't that enough?

The answer is that you may only want to trust macros that have been signed
within your own organization (or some similar scenario). If we only required
the things above, then there would be no way to prevent code signed by a
certificate issued by any commercial CA from being trusted. Thus, the Trusted
Publishers store.

For example, if Apple had a code signing certificate issued by Verisign and
signed a macro with it, there would be no way for Microsoft to deny that
trust, even at the High security level without the Trusted Publishers store
short of removing the Verisign root from their Trusted Root store. The poor
hapless Microsoft user would open the word document, the macro would run at
the trusted level unleashing heaven knows what kind of code onto Microsoft's
internal network.

 

[JGlowski]

Thanks,
This is the detailed explaination I have been looking for