Microsoft Corporation
Today's Web sites provide not only a rich experience for users but also the possibility of unwittingly downloading malicious code. With increasingly active content on the Internet, end users often must decide whether or not to download code over the Internet. However, end users cannot really tell what a piece of software will do until they've downloaded it to their computers.
Unlike the retail environment, software on the Internet is not labeled or "shrink-wrapped." Therefore, end users don't know for sure who published a piece of software on the Internet. They also don't know if the code has been tampered with. As a result, end users take on a certain amount of risk when downloading Java applets, plug-ins, Microsoft® ActiveX™ controls, and other executables over the Internet.
Internet Explorer 3.0 uses Authenticode™ technology to help address this problem for end users. Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered with, before users download software to their PCs. As a result, end users can make a more informed decision as to whether or not to download code.
Download the ActiveX SDK to get the tools and the in-depth technical information you need to take advantage of Authenticode. "The Six Steps to Signing Your Code" describes how you can get your software publisher certificate from a certificate authority such as VeriSign as well as sign and test your code using the tools provided in the ActiveX SDK. The following provides a higher level overview of the code signing process.
You will need to apply for and receive either an Individual or Commercial Software Publisher certificate from a Certificate Authority (CA) that supports Authenticode™ technology. "Digital Certificates for Authenticode" provides more information about the certificate enrollment process for software publishers. Digital IDsSM for Software Publishers is now available from VeriSign.
You must generate a key pair during this application process and provide the necessary information to the CA. Information would include your name, address, public key, and other relevant information depending on whether you are requesting an Individual or Commercial Software Publisher certificate. The CA will examine the evidence to verify your credentials, employing external contractors such as Dun & Bradstreet.
After the CA has decided that you meet its policy criteria, it generates a Software Publisher Certificate that conforms to the industry standard X.509 certificate format with Version 3 extensions. This certificate identifies you and contains your public key. It is stored by the CA for reference and a copy is returned to you via electronic mail. You should review the contents of the certificate. After accepting the certificate, you should include a copy in all published software signed with the private key.
Commercial developers can expect a response to their application in less than two weeks. While there is no limit to the number of certificates commercial software publishers can obtain, it is up to you to determine who gets a certificate, and how code is signed and distributed.
You can now begin signing and distributing software on the Internet. Signing the code involves these steps:
Depending on the options selected by the user, Microsoft Internet Explorer 3.0 informs the user if the code has not been signed or if the code has been tampered with during the download process. The result is a user who is better informed to make a decision about the software to be downloaded. "How to Use Authenticode" provides more information on how end users interact with signed code using Internet Explorer.