Share via

Information about EV Code Signing Certificates: A new identity standard in code signing

  • Article

Microsoft recently announced the availability of EV Code Signing Certificates by Windows Root Certificate Program CAs:  Symantec and DigiCert.

As described on Jeb Haber’s blog post, EV Code Signing Certificates are now being issued and will integrate with Microsoft’s SmartScreen Application Reputation technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.  SmartScreen is the first use of EV Code Signing Certificates, but Microsoft is excited by the prospect of seeing EV code signing in other security contexts as vendors find value in applying EV identity verification practices.

The EV code signing guidelines developed in the CAB Forum has a couple of key advancements over standard code signing from a safety and identity perspective.  First, it requires a more rigorous vetting and authentication process similar to that of EV SSL certificates that are used with many secure websites today.  This process requires a comprehensive identity verification and authentication for each developer.  Secondly, EV code signing certificates require the use of hardware or hardware tokens to secure the signing of applications.  This hardware requirement is an additional protection against theft or unintended use of a code signing certificate.  Code signing certificates left in software can be accessible to attackers, and can also be lost or stolen.

General Requirements for Issuing EV Code Signing Certificates

CAs must have the code signing extended key usage (“EKU”) enabled for their root certificate(s).

CAs must have an appropriate audit of its Operating Standards, demonstrating readiness to issue EV certificates.  At this time, appropriate audits include the “WebTrust for CAs EV Readiness Audit”, “WebTrust for EV Audit Criteria”, and ETSI TS 102 042 V2.1.1.  If your base audit is conducted according to other audit criteria, please inquire at casubmit@microsoft.com.

CAs must comply with the special additional terms of the CAB Forum Guidelines, the then-current “EV Code Signing Certificate Guidelines” (version 1.1”, effective May 29, 2012), available from http://www.cabforum.org/documents.html, in connection with the issuance of EV code signing certificates.

CAs must complete a special addendum to the Microsoft CA Agreement specifying the “CA Code Signing Certificate Requirements” listed below.  CA must comply (and have its Subscribers comply, as applicable) with those Requirements. These Requirements can be set forth in any Certificate Policy or Certification Practices Statement that is effectively incorporated by reference in a Subscriber Agreement.

How to Apply

  • CAs must apply to Microsoft at casubmit@microsoft.com for issuance of EV Code Signing Certificates.
  • This program requires a root certificate with a new issuer for the sole purpose of issuing EV Code Signing Certificates as described in the Requirements section below.
  • Participation is not guaranteed.  Microsoft reserves the right to choose its CA partners for this technology and may not accept every Program CA that may otherwise meets the General Requirements listed above. 
  • Microsoft may also enable new CAs only at designated times during deployment, such that recognition of newly added CAs may happen at specific intervals.

**CA Code Signing Certificate Requirements

**

  1. In its Subscriber Agreements, CA will require its Subscriber applicants to provide complete, accurate, and truthful information (e.g., application name, information URL, and application description). The subject also must be identified by a verified organization or individual name. Failure by a Subscriber to comply, or to correct inaccurate information promptly, may result in revocation of the code signing Certificate;
  2. In the Subscriber Agreement, CA will provide notice that it may revoke Certificates issued to Subscribers who use such Certificates to digitally sign malicious software or “malware” (e.g., software downloaded without user consent);
  3. In its Subscriber Agreements, CA will require its Subscribers to provide SHA2 as an option for the encryption algorithm;
  4. Code signing Certificates that have been revoked due to key compromise or issued to unauthorized persons must be maintained in the CA’s public revocation database for at least 20 years following revocation. CA will operate a timestamp server authority (“TSA”) in conjunction with its code signing service. Effective no later than October 31, 2011, the TSA must comply with RFC 3161, “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP).” In its Subscriber Agreements, CA will request that Subscribers, as a best practice, timestamp the digital signature after signing their code;
  5. The CA is responsible for Certificate revocation per its revocation policy. Microsoft may, however, independently determine that a certificate is malicious or compromised, and Microsoft services and applications may have the ability to modify Microsoft customer experiences to reflect Microsoft’s determination without notice and without regard to the revocation status of the Certificate. CA will require its Subscribers to acknowledge this in its Subscriber Agreements;
  6. CA will not provide keys for such code-signing Roots that are smaller than 2048 bits (and CA will require its Subscribers to acknowledge this in its Subscriber Agreements);
  7. CA will create a new issuer for the sole purpose of issuing EV Code Signing Certificates, and that issuer will have the key words “Extended Validation” in its issuer name (e.g., “Company Extended Validation”); and
  8. CA will create a persistent entity name (“permanent identifier”) for the company that will remain the same across certificate renewals. This permanent identifier will be constructed in accordance with Section 9.7 of the EV Code Signing Certificate Guidelines. If the company has multiple EV code signing certificates, the permanent identifier must be the same across all certificates.

Who Can Apply

CAs that are already a member of the Windows Root Certificate Program (“Program CAs”) can apply to issue EV code signing certificates.  For new membership in the Program and general program requirements, please read the introduction and provide the information listed under the section ‘How to Apply’ on the Program website.

There is no cost or fee payable to Microsoft for issuing EV code signing certificates.  There may be an incremental cost to include your code signing certificate infrastructure in your annual EV audit.