Security improvements to key signing functionality
After that Web API 2.0 was announced, there have been some minor changes.
- A new parameter, signMid was added in the Activation method. By setting it to true, you can ensure that the machine id (set by mid) is signed also. (read more about the security advantages under SignMid)
- The Valid output parameter is equal to “True”, with a capital “T”, instead of “true”.
- The signing functionality (in both Activation and Validation methods) was fixed to make sure that signatures that the server generates can be validated by a client using the public key.
SignMid
The security advantage of using signMid is mostly relevant for applications that perform activation only once or not at all. By setting it to true, the machine code will be added to the signature (in the KeyInformation class) and thus the client app will know that it has not been modified since the last activation was performed.
This opens doors to securer key activation on computers (devices) that do not have direct connection to the Internet, for example, some computers in an enterprise. An enterprise computer does only need to provide a machine code, which is later used to get a signed key information file. If you would like to have something that facilitates the implementation of this logic, please wait several days (approx 1-2 weeks). We are currently working on a possible solution.