Clarify that Security Advisory 2915720 is opt-in

WinVerifyTrust and WinVerifyTrustEx functions (wintrust.h) have a
note regarding WinVerifyTrust Signature Validation Vulnerability
(CVE-2013-3900). This note leads to Security Advisory 2915720 which
prompts administrators to configure `EnableCertPaddingCheck` registry
key for additional validation.

The WinVerifyTrust{,Ex} function documentation states that registry
key value will be set to "1" by default "on June 10, 2014" however
this is not correct. The Advisory linked was amended, as to initially
push back the defaults change, and then amended (V1.4) on July 29, 2014
as to clarify there are no active plans to set "1" as default.

These documents are being updated, as to avoid conflicting information
and potential resulting confusion among system administrators, who are
reading Microsoft documentation to understand the change.

Author: sigv

sdk-api-src/content/wintrust/nf-wintrust-winverifytrust.md

@@ -216,7 +216,7 @@ For example, a trust provider might indicate that the subject is not trusted, or
 <td width="60%">
 The subject failed the specified verification action. Most trust providers return a more detailed error code that describes the reason for the failure.
 
-<div class="alert"><b>Note</b>  <p class="note">The <b>TRUST_E_SUBJECT_NOT_TRUSTED</b> return code may be returned depending on the value of the <b>EnableCertPaddingCheck</b> registry key under <b>HKLM\Software\Microsoft\Cryptography\Wintrust\Config</b>. If <b>EnableCertPaddingCheck</b> is set to "1", then an additional check is performed to verify that the <b>WIN_CERTIFICATE</b> structure does not contain extraneous information. The check validates that there is no non-zero data beyond the PKCS #7 structure. The <b>EnableCertPaddingCheck</b> key will be set to "1" by default on June 10, 2014. For more information, please refer to the following security advisory: <a href="/security-updates/SecurityAdvisories/2014/2915720">http://technet.microsoft.com/security/advisory/2915720#section1</a>.
+<div class="alert"><b>Note</b>  <p class="note">The <b>TRUST_E_SUBJECT_NOT_TRUSTED</b> return code may be returned depending on the value of the <b>EnableCertPaddingCheck</b> registry key under <b>HKLM\Software\Microsoft\Cryptography\Wintrust\Config</b>. If <b>EnableCertPaddingCheck</b> is set to "1", then an additional check is performed to verify that the <b>WIN_CERTIFICATE</b> structure does not contain extraneous information. The check validates that there is no non-zero data beyond the PKCS #7 structure. Setting the <b>EnableCertPaddingCheck</b> key to "1" is on an opt-in basis from July 29, 2014. For more information, please refer to the following security advisory: <a href="/security-updates/securityadvisories/2014/2915720">Microsoft Security Advisory 2915720</a>.
 
 </div>
 <div> </div>
@@ -265,4 +265,4 @@ For example, the Software Publisher Trust Provider can verify that an executable
 
 Each trust provider supports a specific set of actions that it can evaluate. Each action has a GUID that identifies it. A trust provider can support any number of action identifiers, but two trust providers cannot support the same action identifier.
 
-For an example that demonstrates how to use this function to verify the signature of a portable executable (PE) file, see <a href="/windows/desktop/SecCrypto/example-c-program--verifying-the-signature-of-a-pe-file">Example C Program: Verifying the Signature of a PE File</a>.
+For an example that demonstrates how to use this function to verify the signature of a portable executable (PE) file, see <a href="/windows/desktop/SecCrypto/example-c-program--verifying-the-signature-of-a-pe-file">Example C Program: Verifying the Signature of a PE File</a>.

sdk-api-src/content/wintrust/nf-wintrust-winverifytrustex.md

@@ -227,7 +227,7 @@ For example, a trust provider might indicate that the subject is not trusted, or
 <td width="60%">
 The subject failed the specified verification action. Most trust providers return a more detailed error code that describes the reason for the failure.
 
-<div class="alert"><b>Note</b>  <p class="note">The <b>TRUST_E_SUBJECT_NOT_TRUSTED</b> return code may be returned depending on the value of the <b>EnableCertPaddingCheck</b> registry key under <b>HKLM\Software\Microsoft\Cryptography\Wintrust\Config</b>. If <b>EnableCertPaddingCheck</b> is set to "1", then an additional check is performed to verify that the <b>WIN_CERTIFICATE</b> structure does not contain extraneous information. The check validates that there is no non-zero data beyond the PKCS #7 structure. The <b>EnableCertPaddingCheck</b> key will be set to "1" by default on June 10, 2014. For more information, please refer to the following security advisory: <a href="/security-updates/SecurityAdvisories/2014/2915720">http://technet.microsoft.com/security/advisory/2915720#section1</a>.
+<div class="alert"><b>Note</b>  <p class="note">The <b>TRUST_E_SUBJECT_NOT_TRUSTED</b> return code may be returned depending on the value of the <b>EnableCertPaddingCheck</b> registry key under <b>HKLM\Software\Microsoft\Cryptography\Wintrust\Config</b>. If <b>EnableCertPaddingCheck</b> is set to "1", then an additional check is performed to verify that the <b>WIN_CERTIFICATE</b> structure does not contain extraneous information. The check validates that there is no non-zero data beyond the PKCS #7 structure. Setting the <b>EnableCertPaddingCheck</b> key to "1" is on an opt-in basis from July 29, 2014. For more information, please refer to the following security advisory: <a href="/security-updates/securityadvisories/2014/2915720">Microsoft Security Advisory 2915720</a>.
 
 </div>
 <div> </div>