I wonder what do you mean by "not useful"? They just have to participate in the reputation system, but that's an issue only when the certificate is young.
Here's an excerpt from MSDN:
> Detractors may claim that SmartScreen is “forcing” developers to spend money on
certificates. It should be stressed that EV code signing certificates are not required
to build or maintain reputation with SmartScreen. Files signed with standard code
signing certificates and even unsigned files continue to build reputation as they
have since Application Reputation was introduced in IE9 last year. However, the
presence of an EV code signing certificate is a strong indicator that the file was
signed by an entity that has passed a rigorous validation process and was signed
with hardware which allows our systems to establish reputation for that entity more
quickly than unsigned or non-EV code signed programs.
I didn’t say “not useful”. Clearly they’re useful. I said non-EV certs “aren’t as useful”. Which is just a fact (as evidenced by the Smart Screen “reputation boost” that EV certs get).
I already read that blog post. I’m person that linked to it in the forum post.
However, isn’t getting an EV certificate impossible for a natural person? You’d have to be some sort of legally recognized organization. Not exactly suitable for small-scale Open Source development.
KeePass: This isn’t an EV certificate (has only OID 2.23.140.1.4). Certum also clearly states, topmost on the description of how to get an EV Code Signing certificate:
> We do not issue EV Code Signing certificates to natural persons!
Yarn: Not an EV certificate either: "Organizationally validated certificates used to sign standard objects." (2.16.840.1.114412.3.1 in addition to 2.23.140.1.4.1).
Here's an excerpt from MSDN:
> Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.
Source: https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-sma...