Many policies revolve around allowing only signed code etc, verifying drivers at boot etc, which begs the question of how key management is done in Windows.
How is a key revoked ? Is it eg revoked with Windows updates or with another distribution channel
Where are the keys stored are they in a software keystore or eg in the TPM ? If it’s a software keystore what protections are built around they keystore?
Which is the root CA for the keys that sign code?
What standards does the CA impose ? Which encryption methods does it accept and with what parameters ?
Also what types of hashes of an app can be signed for the app to be considered signed ? Does eg signing the md5 qualify ? Or it needs to be a more modern algorithm like sha256? Where are acceptable hashing algorithms configured? Where are acceptable signing algorithms configured?
How is a key revoked ? Is it eg revoked with Windows updates or with another distribution channel
Where are the keys stored are they in a software keystore or eg in the TPM ? If it’s a software keystore what protections are built around they keystore?
Which is the root CA for the keys that sign code?
What standards does the CA impose ? Which encryption methods does it accept and with what parameters ?
Also what types of hashes of an app can be signed for the app to be considered signed ? Does eg signing the md5 qualify ? Or it needs to be a more modern algorithm like sha256? Where are acceptable hashing algorithms configured? Where are acceptable signing algorithms configured?
