Microsoft’s Authenticode Technology
Authenticode is a system developed by Microsoft for digitally signing executable code. Authenticode was publicly announced in June of 1996 as part of Microsoft’s Internet Explorer 3.0 and ActiveX technologies. Authenticode now ships as a standard part of all Microsoft operating systems and applications.
Authenticode describes a series of file formats for signing Microsoft 32-bit CAB, CAT, CTL, DLL, EXE, and OCX files. The signed file contains the original unsigned file, the digital signature, and an X.509 v3 digital certificate for the public key needed to verify the Authenticode signature. Authenticode cannot sign Windows COM files or 16-bit EXE files.
Authenticode is closely associated with ActiveX, Microsoft’s system for downloading programs from web pages to end user computers. There are considerable security issues associated with ActiveX. Authenticode was designed to mitigate these dangers by making software publishers accountable for programs they write. (ActiveX and the security provided by Authenticode are discussed in detail in Chapter 12.)
According to Microsoft’s Authenticode documentation, organizations seeking to obtain software publishing certificates must meet the following criteria:
- Identification
Applicants must submit their name, address, and other material that proves their identity as corporate representatives. Proof of identify requires either personal presence or registered credentials.
- The Pledge
Applicants must pledge that they ...
Get Web Security, Privacy & Commerce, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.