Microsoft’s Authenticode Technology
Authenticode is a system developed by Microsoft for digitally signing executable code. Authenticode was publicly announced in June of 1996 as part of Microsoft’s Internet Explorer 3.0 and ActiveX technologies.
ActiveX is a system for downloading programs from web pages to end user computers. There are considerable security issues associated with ActiveX. Authenticode was designed to mitigate these dangers by making software publishers accountable for programs they write. (ActiveX and the security provided by Authenticode is discussed in detail in Chapter 4.)
Authenticode describes a series of file formats for signing Microsoft 32-bit EXE, DLL, and OCX files. The signed file contains the original unsigned file, the digital signature, and an X.509 v3 digital certificate for the public key needed to verify the Authenticode signature. Authenticode cannot sign Windows COM files or 16-bit EXE files.
The “Pledge”
Microsoft and VeriSign require that all software publishers take the “Software Publisher’s Pledge.” The pledge is a binding agreement in which the software publisher promises not to sign programs that contain viruses or that will otherwise damage a person’s computer.
The Pledge is described in Section 4 of the VeriSign certification practice statement and is reprinted here:
In addition to the other representations, obligations, and warranties contained or referenced in the certificate application, the [individual] [commercial] software publisher ...
Get Web Security and Commerce now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
