Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

Will Code Signing Certificates go EV?

Larry Seltzer writes about the development of EV certificates and how they relate to EV Certificates. After mentioning VeriSign's No More Abandoned Shopping Carts campaign to promote EV SSL Certificates, Seltzer comments on the possibility of EV Code Siging Certificates:

But what about code signing certificates? I've long been a qualified fan of code signing certs. If you have the proper perspective on them, they can provide valuable information that you can use to assess whether a program file is trustworthy.

Of course you can't blindly trust a program just because the file is signed. By whom is it signed? Is the signing certificate issued by a trusted authority?

One problem with this system was demonstrated recently with some malware written up by Sunbelt Software in this blog entry. The interesting part of it is that the malware was digitally signed. The certificate used to sign it was issued by the UserTrust network, which is run by genuine certificate authority Comodo (the specific name is UTN-USERFirst-Object).

Comodo revoked the certificate shortly after it became clear that it had been used to sign malware. It's uncommon, but this was a certificate sale that had survived an actual identification check. The buyer lost their certificate for having violated terms of service.

Seltzer summarizes:

Lots of security experts deride code signing because it's not perfect. But it's a necessary element of many systems for securing software. If you would ever want to implement a whitelisting system for software, you'd probably need to use code signing for it, for example. Code signing is widely used by mobile networks to control what code gets on to phones. This market needs to be made more accessible.

Tim Callan from VeriSign has also stated that the CA/Browser Forum, responsible for the EV Certificate Standard, is also interested in making a standard for EV Code Signing Certificates.

Originally posted on Sun Mar 16, 2008

Advertisement • Hide