|
Updated: July 17, 1997
All software publishers who have developed controls for the Web should re-sign their code before their current certificate expires (which, for most publishers, will occur in the next couple of months). When you re-sign your code, it is important that you do so using the new timestamp option in the code-signing upgrade to the ActiveX Software Development Kit (SDK). Using the new timestamp option will assure that users continue to see that your signature is valid even after your certificate has expired.
To re-sign your code, you'll need:
Below, we've provided answers to questions you may have about the Authenticode update for users, and about the need to re-sign all your controls before your certificate expires:
Why use the timestamp option?
Why is Microsoft releasing the Authenticode client update?
What actually happens on June 30?
Should you re-sign now, or wait until the expiration date on your certificate draws closer?
Once you re-sign your code, do you need to get a new certificate from Verisign?
Is there a cost associated with using the timestamping service from Verisign?
Is Microsoft working with other vendors to provide timestamping services?
Will the new signatures work with the Platform Preview of Internet Explorer 4.0?
Will third-party tools for signing self-extracting .exe's need to be upgraded?
Why do the certificates expire?
When you use the timestamp option to sign your code, the signature is forever recorded as having occurred during the validity period of your certificate. Users will then always see that the signature is valid, even after the validity period of your certificate has expired.
Why is Microsoft releasing the Authenticode client update?
Microsoft is releasing the client update to roll out new Authenticode 2.0 software, which includes significant improvements and renews internal certificates that will soon expire. The improvements include:
What actually happens on June 30?
If users have downloaded the Authenticode upgrade, here's what they will see after June 30:
If users have not downloaded the Authenticode upgrade, here's what they will see after June 30:
Bottom Line: To prevent users from receiving warning notices when they encounter your code, (1) you must re-sign your code before your certificate expires, and (2) users must download the Authenticode client update before June 30. As explained below, we have provided tools for you to help you update your users to Authenticode 2.0. They will then continue to see the proper Authenticode messages for your code.
Should you re-sign now, or wait until the expiration date on your certificate draws closer?
Microsoft recommends that Web publishers re-sign their code soon to avoid heavy demand on timestamp servers in late June and July, when most publishers' certificates expire. Due to proxy delays, it takes the servers approximately 5 seconds to process each signature. Heavy demand near the expiration deadlines could likely result in time-outs, requiring multiple attempts to obtain a valid timestamp. As explained below, there is a hitch to signing early, but Microsoft is providing script and a pointer to our download site to help resolve it.
For the future:
Again, Microsoft strongly recommends that you use the code-signing upgrade's timestamp option, which will prevent you from having to re-sign your code again.
Once you re-sign your code, do you need to get a new certificate from Verisign?
No. You can continue to use your current certificate until it expires.
Is there a cost associated with using the timestamping service from Verisign?
No.
Is Microsoft working with other vendors to provide timestamping services?
Not at this time.
Will the new signatures work with the Platform Preview of Internet Explorer 4.0?
Yes, provided that users have downloaded the version of Authenticode 2.0 that will be posted on June 23. The version available before that date does not work with the Platform Preview of Internet Explorer 4.0. The final release of Internet Explorer 4.0 supports the timestamping service.
Will third-party tools for signing self-extracting .exe's need to be upgraded?
Yes. Microsoft is working with third-party tools vendors to make upgraded tools available as soon as possible.
Why do the certificates expire?
By design, certificates expire in order to prevent the indefinite use of a certificate. By creating this "valid time window" for a certificate, the design of Authenticode limits the potential damage that can arise from a compromised certificate.
Back to the ActiveX SDK home page