- Messages
- 37
- Country
Gents-
I posted this on the FSX Beta forums, but I'd like to now open up the suggestion to the (larger) group of FS Developers.
Small explanation of the situation as it develops, first:
Starting with FSX, all .DLL and .GAU files that addon products (freeware and commercial alike) will be required to have a code signature verifying the authenticity of the developer (i.e. that the person/organization who wrote the addon is really who they claim to be), in order for Flight Simulator X to run the DLL. If the DLL is not signed, there will be an annoying popup dialog box asking the user if they want to run the "untrusted" gauge and possibly add it to their list of trusted add ons.
This is not a big problem if the addon has one or two gauges, but some addons have tens or even hundreds of smaller gauges added, which will definitely cause headaches to each user and MUCH larger headaches to the developers who will be barraged with each user requesting to know wtf this is all about.
Code signing is an easy enough process but the catch is that it costs about two hundred US Dollars (per year, nonetheless!) to purchase a code-signing certificate from a commercial entity such as Verisign or Thawte. This surely does not present a problem with commercial enterprises (such as our own PMDG), but I can certainly see that freeware authors will not want to spend $200 per year to be able to sign their products.
Fortunately, there is a way around this:
FSDevelopers can become the administrative authority which will create a self-signed root CA certificate. This certificate can then become trusted by all users who want to download and use freeware addons (there's a small two-step process involved, but that will be a one-off deal).
Once a user has decided to trust the FSDevelopers root CA, FSDevelopers can produce code-signing certificates for each developer who is willing to submit identification papers (a simple scan/fax of their passport, or similar ID will be enough). The developers then use those certificates to sign their gauges. Such signed gauges will automatically be trusted by any user who's trusting the FSDevelopers root CA - problem solved!
A step further would be for FSDevelopers to apply for a root CA certificate with someone like Microsoft, so that it becomes a secondary Certificate Authority that is automatically trusted as it will be certified by an already known root CA.
Potential problems:
a) Unless we put our collective weight behind this effort and get it widely recognized, known and accepted, this effort will fail as users won't have the FSDevelopers root CA trusted in their system. We might want to add an automated way of installing the FSDevelopers root CA by means of the FSDevelopers web site. We'll also need to heavily promote this effort by sending out press releases to AVSim, SimFlight, FlightSim and other major news networks.
b) There will have to be one or two administrators who will keep the root CA private key file and thus be able to issue developer certificates. These individuals have to be of known reputation and fame, so that the private key file can be kept, well... Private! ;-) These individuals will need to safeguard the private key and also be involved in the issuance of the developer certificates. As freeware developers aren't THAT many, I don't see the process requiring too much of the admins' time, but there will be an initial burst of applications which will need to be done in a quick timeframe.
c) Verification of the paperwork sent in by developers will need to be done by the admins on reception of scanned or faxed copies of Identification Papers. Again - this requires high trust on those admin individuals. We can't have any doubt cast on those people.
Opinions are very welcome in the general discussion forum.
Best regards,
Lefteris Kalamaras
Precision Manuals Development Group
(and also freeware developer ;-))
I posted this on the FSX Beta forums, but I'd like to now open up the suggestion to the (larger) group of FS Developers.
Small explanation of the situation as it develops, first:
Starting with FSX, all .DLL and .GAU files that addon products (freeware and commercial alike) will be required to have a code signature verifying the authenticity of the developer (i.e. that the person/organization who wrote the addon is really who they claim to be), in order for Flight Simulator X to run the DLL. If the DLL is not signed, there will be an annoying popup dialog box asking the user if they want to run the "untrusted" gauge and possibly add it to their list of trusted add ons.
This is not a big problem if the addon has one or two gauges, but some addons have tens or even hundreds of smaller gauges added, which will definitely cause headaches to each user and MUCH larger headaches to the developers who will be barraged with each user requesting to know wtf this is all about.
Code signing is an easy enough process but the catch is that it costs about two hundred US Dollars (per year, nonetheless!) to purchase a code-signing certificate from a commercial entity such as Verisign or Thawte. This surely does not present a problem with commercial enterprises (such as our own PMDG), but I can certainly see that freeware authors will not want to spend $200 per year to be able to sign their products.
Fortunately, there is a way around this:
FSDevelopers can become the administrative authority which will create a self-signed root CA certificate. This certificate can then become trusted by all users who want to download and use freeware addons (there's a small two-step process involved, but that will be a one-off deal).
Once a user has decided to trust the FSDevelopers root CA, FSDevelopers can produce code-signing certificates for each developer who is willing to submit identification papers (a simple scan/fax of their passport, or similar ID will be enough). The developers then use those certificates to sign their gauges. Such signed gauges will automatically be trusted by any user who's trusting the FSDevelopers root CA - problem solved!
A step further would be for FSDevelopers to apply for a root CA certificate with someone like Microsoft, so that it becomes a secondary Certificate Authority that is automatically trusted as it will be certified by an already known root CA.
Potential problems:
a) Unless we put our collective weight behind this effort and get it widely recognized, known and accepted, this effort will fail as users won't have the FSDevelopers root CA trusted in their system. We might want to add an automated way of installing the FSDevelopers root CA by means of the FSDevelopers web site. We'll also need to heavily promote this effort by sending out press releases to AVSim, SimFlight, FlightSim and other major news networks.
b) There will have to be one or two administrators who will keep the root CA private key file and thus be able to issue developer certificates. These individuals have to be of known reputation and fame, so that the private key file can be kept, well... Private! ;-) These individuals will need to safeguard the private key and also be involved in the issuance of the developer certificates. As freeware developers aren't THAT many, I don't see the process requiring too much of the admins' time, but there will be an initial burst of applications which will need to be done in a quick timeframe.
c) Verification of the paperwork sent in by developers will need to be done by the admins on reception of scanned or faxed copies of Identification Papers. Again - this requires high trust on those admin individuals. We can't have any doubt cast on those people.
Opinions are very welcome in the general discussion forum.
Best regards,
Lefteris Kalamaras
Precision Manuals Development Group
(and also freeware developer ;-))
