Frequently Asked Questions About Code Signing

April 1996

General Questions

How do I get a certificate?
What is the role of a CA? Why are CAs needed?
What are public and private keys?
Is signed code really secure?
Is signed code a cross-platform solution?
What exactly is my liability when I sign code?
If I sign a whole page, can everything on it be trusted?
Why not just encrypt all of my code?
If I use sandboxing (Visual Basic Scripting Edition or JavaScript), why do I need to sign code?

Policies and Requirements

What are the policies?
Why do we need two sets of policies?
Aren't you saying that individuals are second-class citizens?
Why does the corporate policy require hardware, whereas the individual policy does not?
Why use a Dunn & Bradstreet rating rather than something like a social security number?

Tools and Processes

Tell me how code signing works
How do I get my public and private keys?
Where do I get the tools for this effort?
What if someone steals my key and starts distributing bad code with it?
What encryption algorithms are you using? What about exporting these?
Is RSA required?

Costs and Timeframes

How much does certification cost?
Isn't this kind of expensive?
How long does it take to sign code?
How long does it take to get a certificate?
When can I get a certificate?
When can I start testing signed code?
What happens when my certificate expires?

Code Signing vs. Other Technologies

Will NetScape check for signed code?
I heard that Intel is coming out with a security services manager. How will that work with digital signatures?
I heard that VeriSign is coming out with digital certificates for end users. Will people be able to use those to sign code?
How do SET or PCT differ from digital signatures?

If you have questions we haven't covered in this document, please send e-mail to safecode@microsoft.com.



General Questions

How do I get a certificate?

ISVs obtain their certificate from a third party called a certificate authority (CA), such as VeriSign, Inc. or GTE. Both of these companies have announced their participation in this effort. CAs ensure that an ISV follows a set of policies, for which the CA provides a set of credentials to the ISV. The set of credentials is a file consisting of certificates: one for the ISV, one for the CA, and (in the case of a sub-CA that offers partial services for a root CA) a certificate for each root CA.

What is the role of a CA? Why are CAs needed?

A CA is a third party trusted by the industry. (You might think of a CA as a notary who handles electronic IDs.) CAs provide services such as the following:

Anyone can be a CA or a sub-CA, if they are willing to provide these services. An example of a CA and sub-CA relationship is as follows: VeriSign may be a root CA providing full CA services. A university may want to provide certificates for all of the students in its masters program. The university may be in a good position to authenticate the identity of its students and may be willing to collect and track the necessary paperwork, but may not want to handle liability issues. Thus, the university might want to pass on the liability issues to a root CA such as VeriSign or GTE.

What are public and private keys?

Private and public keys are a matched set of keys created by the ISV and used for encryption and decryption of the digest into the signature block. The ISV uses the private key to encrypt the digest into the signature block. This key is never exposed to an outside party. The public key is also created by the ISV. It is verified as part of the certification process by the CA and distributed to the public in the signature block.

Is signed code really secure?

Yes. The security methods used to support this proposal are not new; they rely on tried and proven technology. The specifications on which the technology is based have been used successfully in the industry for some time. These include PKCS #7 (encrypted key specification), PKCS #10 (electronic request forms), X.509 (certificate specification), and SHA and MD5 hash algorithms.

Is signed code a cross-platform solution?

Yes. The specifications were designed to be portable to other platforms, and the technology is not specific to Win32® or other Microsoft executables. Microsoft will focus on making this solution available on Windows® 95 and Windows NT™ first. Microsoft is also encouraging, and working with, partners to ensure th at the technology will be implemented on UNIX®, the Macintosh®, and Windows 3.1.

What exactly is my liability when I sign code?

The act of signing code does not imply liability--it only provides identification of the author and assurance that the code has not been tampered with since it left the author's hands. However, federal law does prohibit the intentional distribution of malicious code.

If I sign a whole page, can everything on it be trusted?

Currently, you can sign all of the elements of a page separately, including the HTML code. We had not considered signing a whole page as a feature for the first release. However, ISV and page authors have told us that this is a very compelling feature. It presents some unique problems, but we are investigating the possibilities and discussing potential solutions with vendors of authoring tools. We haven't made any announcements yet.

Why not just encrypt all of my code?

For two reasons:

If I use sandboxing (Visual Basic® Scripting Edition or JavaScript), why do I need to sign code?

You still need to sign code because scripts can call ActiveX™ controls and Java™ applications. Even if the sandboxed scripts are safe, these interactive applications may not be. The very features that make interactive code compelling require the kind of functionality that is associated with risk. That's why it's important for users to be able to determine where the code is coming from and know that the author of the code has assured reliability.

UpBack to list of questions



Policies and Requirements

What are the policies?

Microsoft proposes two sets of policies: commercial (corporate) and individual. Details of both policies are provided in Proposal for Authenticating Code Via the Internet, which is also available on this Web site.

To summarize:

Why do we need two sets of policies?

The needs of the corporate (or commercial) software publisher are different from the needs of the individual software publisher (for example, a college student or hobbyist). The commercial policy is designed to provide more security and a higher level of authentication that a user can rely on. Although the corporate software publisher offers great value to the Internet, we can't overlook the contributions of individuals who don't have D&B ratings or can't afford the resources for secure hardware. The individual policy is designed to provide a lower bar of entry, trading off against a higher level of security. Users will eventually be able to distinguish between corporate and individual levels of certification. In future releases of the implementation, they will be able to distinguish between different corporations or different individuals, allowing only code from specific software publishers on their machines.

Aren't you saying that individuals are second-class citizens?

Not at all. We created an individual policy because we consider individual contributions to the Internet very valuable if the Internet is to evolve beyond a platform used only for browsing content. There is nothing that prevents an individual certificate holder from upgrading his or her certificate to a commercial level. There is the hurdle of costs, but these are for services necessary to implement the open standard successfully.

Why does the corporate policy require hardware, whereas the individual policy does not?

The individual policy is designed to allow a lower level of entry, in tradeoff for security. Corporations often need greater measures of security--they have much more liability at stake, and they may need to provide a higher level of security to secure a contract. Hardware devices for storing private keys can range anywhere from a $150 PCMCIA device or dongle to a $12,000 BBN SafeKeyper. Hardware storage, even the PCMCIA device, is much harder to copy or compromise than a floppy disk. Corporations will determine what level of security they need.

Why use a Dunn & Bradstreet rating rather than something like a social security number?

Dunn & Bradstreet (D&B) ratings are extremely easy to get. If your company has released a financial statement or paid taxes, it probably has a D&B rating. If your company doesn't have a D&B rating, it's very easy to request one. Another advantage of D&B ratings is that they are also used internationally, whereas social security numbers are not.

UpBack to list of questions



Tools and Processes

Tell me how code signing works

When an ISV finishes developing and testing his code, he signs the code. (Tools for signing are in the ActiveX Development Kit, available in preliminary form for downloading from this site.) For signing, the code is run through a one-way hash function that produces a fixed-length "digest." The digest is then encrypted with the ISV's private key; and combined into a signature block with the name of the hash algorithm and certificate (which holds the name of the publisher, the public key, name of the CA's certificate, and so on). This signature block is then inserted back into the portable-executable (PE) file format under a reserved section, and the code is distributed over the Internet.

When the user downloads the code, the downloading application calls the WinVerifyTrust API. The system extracts the signature, determines the CA who authenticated the certificate, and obtains the ISV's public key distributed by that CA. The system then uses the public key to decrypt the digest. It runs the specified hash on the code again, creating a new digest. If the code has not been mo dified since it was signed, the new digest should match the old one. If the two digests don't match, either the code was modified, or the public and private keys aren't a matched pair. In either case, the code becomes suspect and the user is warned.

How do I get my public and private keys?

You can generate your private and public keys by using the software in the ActiveX Development Kit (available in preliminary form for downloading from this site) when you request a certificate from your CA. Both keys are generated by you--no one, not even the CA, will see your private key. The CA only validates and distributes the public key that you've generated in the request.

Where do I get the tools for this effort?

Microsoft already has some simple tools in the ActiveX Development Kit, available in preliminary form for downloading on this site. You can find these tools in the \bin directory after you install the ActiveX Development Kit; they include the following:

For more information and usage instructions for these tools, see README.TXT in the \bin directory after you install the ActiveX Development Kit.

In addition, you can use Microsoft Internet Explorer version 3.0 (a preliminary version is available in the ActiveX Development Kit) to test downloading signed code. All Microsoft development tools will soon support the ability to sign code. We are also working with other tools vendors to ensure that they get all of the specifications and assistance they need to implement code signatures.

What if someone steals my key and starts distributing bad code with it?

One of the services that the CA provides is to maintain a list of revoked keys. If someone steals your key, you can get your certificate revoked and get a new certificate with a new set of keys immediately by contacting your CA. Users can refresh their list of public keys on a periodic basis. The size of the revoked certificate list should be very small (like a stolen credit card list, but even smaller). When the user tries to download code signed under your old certificate, he or she is warned that the certificate has been revoked. When you get a new certificate and a new set of keys, you will have to refresh your installed base with a new release of your software signed with the new certificate. You will then have to refresh your customer base with your newly signed controls. (This is similar to a recall of software, except that you are spared the expense of cleaning the channel of bad disks.)

What encryption algorithms are you using? What about exporting these?

Exporting signed code is not a problem. Remember: You are encrypting only a small digest or hash of your code, and inserting that into your file; you are not encrypting large amounts of data. The export laws treat digital signatures as a special case. There are no export controls on the encryption of message digests, so you can use a pretty heavy-duty RSA public key for these digests . Our Cryptographic Service Provider (CSP) defaults to 512-bit keys, whereas the root-level STT (Visa + Mastercard) technology involves 1024-bit keys.

Is RSA required?

No, the Microsoft CryptoAPI allows for different Cryptographic Service Providers (CSPs). You can use any CSP you want; however, you must ensure that your customer base is also using the same CSP. Microsoft will use RSA, the widely accepted solution, as the default.

UpBack to list of questions



Costs and Timeframes

How much does certification cost?

Hardware for the commercial certificate can cost anywhere from $150 (for a PCMCIA card) to $12,000 (for a BBN SafeKeyper device). According to VeriSign, Inc., their service will cost about $400 for an initial commercial publisher's digital ID, and about $300/year for renewal. Digital IDs for individual publishers will cost about $20.

Isn't this kind of expensive?

Microsoft and the current CAs have made every attempt to keep the initial price as low as possible. As more CAs and services come on board, the prices will likely become even more competitive. The costs are very reasonable, especially when you consider how much you spend on artwork and shrink-wrapping for conventional products each year.

How long does it take to sign code?

Code signing is a very quick process, and needs to be completed only once for your code, just before distribution. You can step through the code-signing process easily within a few minutes.

How long does it take to get a certificate?

A commercial policy takes about two weeks, because of the paperwork that needs to be exchanged. The individual policy certificate can be obtained online, and should take about an hour.

When can I get a certificate?

VeriSign, Inc.internet link and GTEinternet link have announced that they will start distributing certificates as early as April or May 1996. (Please note that these links point to servers that are not under Microsoft's control. Please read Microsoft's official statement regarding other servers.)

When can I start testing signed code?

The preliminary version of Microsoft Internet Explorer version 3.0 (available from the preliminary ActiveX Development Kit) supports downloading signed code. The final release of Internet Explorer 3.0 will be available later this summer.

What happens when my certificate expires?

The expiration of certificates provides an added measure of security. (For example, if a university certifies all of its students with digital IDs, it could set each ID to expire when the student leaves the university.) Code that is signed with an expired certificate is invalid. However, code that is signed with a valid certificate does not expire when the certificate expires--you do not have to resign code when you renew your certificate. A renewed certificate requires only new code to be signed.

UpBack to list of questions



Code Signing vs. Other Technologies

Will NetScape check for signed code?

We don't know what Netscape's plans are in this area. The Microsoft Internet Explorer will check for signed code, as will all other client-side Internet applications from Microsoft. Over 40 ISVs had signed up to support the signed code initiative at the time of its public announcement. Microsoft and these ISVs strongly encourage the industry to adopt this initiative. Microsoft is working with the W3C to ensure that the proposal remains an open standard, and that the information is readily available.

I heard that Intel is coming out with a security services manager. How will that work with digital signatures?

Microsoft is looking at adding digital signatures to components being downloaded from the Internet. Intel's security services manager uses the Cryptographic API (CryptoAPI), which is being added to Microsoft Windows. At this point, digital signatures and the security services Manager are independent of one another.

I heard that VeriSign is coming out with digital certificates for end users. Will people be able to use those to sign code?

VeriSign will be one of the digital certificate issuers for developers. The digital certificates for users are completely different from certificates for developers. Developer certificates require additional criteria, such as attesting that the signed code is not malicious. Initially, developer certificates need to be part of a specific certificate trust hierarchy that Windows recognizes. See Proposal for Authenticating Code Via the Internet for details on the corporate and individual policies.

How do SET or PCT differ from digital signatures?

Each security technology serves a different purpose and solves a different problem. However, there are similarities in the infrastructure, in the use of certificate authorities and public/private key technology. In addition, signed code includes a hash of the code/component in the certificate, and is portable to non-secure servers. For more information, see Security Technologies on this Web site.

UpBack to list of questions


Return to the Code Signing home page

© 1996 Microsoft Corporation