Thawte® Code Signing Certificate
Pricing
Is your code secure?
With the advent of online distribution, developing and disseminating functional
code is easier than ever. However, such an envrionment also subjects code and software
to potential dangers presented by fraudulent and malicious code. Don’t expose your
customers to these threats. With a Thawte® Code Signing Certificate, you can protect
your customers and provide them with the safe, trustworthy code they deserve.
What is Code Signing Certificate?
A Code Signing Certificate is a set of data that identifies an existing entity.
The certificate presents the entity’s public cryptographic key, allowing the public
user to verify the sender’s identity.
Code Signing Certificates frequently use digital signatures to verify the identify
of the content’s creator, as well as confirming that the content has not been tampered
with since it was originally distributed. With the rapid growth of content distribution
thanks to the Internet, code signing is absolutely critical for securing the delivery
of content to the consumer. Code Signing Certificates with digital signatures allow
publishes to sign .exe, .cab, .dll, and .ocx files; Java Applets and MIDlets; Microsoft®
Office documents with macros; and Apple desktop applications.
The Distribution Process for Code Signing Certificates:
The primary goal of a Code Signing Certificate is to confirm the publix key contained
in a certificate is, in fact, the public key belonging to the person or entity to
whom the certificate is issued.
The implementation of digital certification involves a signature algorithm (digital
signature) for signing the certificate.
- The client sends a certification request containing name and public key to a ceritfication
authorty. As an SSL reseller, Green SSL Certificates represents 4 different certification
authorities: VeriSign, Thawte, GeoTrust, and RapidSSL. For the purposes of this
Code Signing Certificate, Green SSL Certificates represents Thawte.
- Thawte creates a special message per the software publisher’s request, which constitutes
most of the data in the certificate. Thawte signs the message with its private key,
obtaining a separate signature (sig) in the process. Then Thawte returns the message
and the signature to the software publisher. Together, these two parts form the
certificate.
- The software publisher then sends the certificate to an end user to convey trust
in the public key.
- The end user verifies the signature sig using the Thawte’s public key. If the signature
is verified, he accepts the software publisher's public key.
As with any digital signature, anyone can verify, at any time, that the certificate
was signed by Thawte, without access to any secret information. The end user needs
only to get a copy a certificate in order to access the certificate authority’s
public key.
Who needs a Thawte® Code Signing Certificate from Green SSL Certificates?
It is absolutely necessary for any publisher intending to distribute code or ontent
over the Internet or coprorate networks to use a Code Signing Certificate. Secure
customers are happy customers. Code Signing Certificates allow business and software
publishers to assure their customers about who produced the content and that it
has not been tampered with since it’s initial distribution. Newer operating systems
and Internet browsers are often set to higher security levels, which often require
signed content. Software publishers who do not use a Thawte® Code Signing Certificate
simply won’t be taken seriously in today’s environment.
Obtaining Certification from Thawte and other Certificate Authorities:
To obtain a certificate from Thawte and other certificate authorities represented
by Green SSL Certificates, a software publisher must meet the criteria for either a commercial
or an individual publishing certificate and submit these credentials to either a
CA or a local registration authority (LRA). The criteria discussed below have been
proposed by Microsoft. Note that standards bodies, such as the World Wide Web Consortium
(W3C), are reviewing these criteria and they are subject to change. A description
of the overall process of obtaining a certificate for code signing ends this section
of the document.
Commercial Certification:
In order to acquire a commerical software publishing certificate, applicants must
meet the following prerequisites:
- Identification - Applicants must submit their name, address, and other material
that proves their identity as corporate representatives. Proof of identify requires
either personal presence or registered credentials.
- The Pledge - Applicants must pledge that they will not distribute software that
they know, or should have known, contains viruses or would otherwise harm a user's
computer or code.
Individual Certification:
The following prerequisites must be met for an individual requesting software publishing
certificate:
- Idntification – Applicants must submit their name, address, and other material that
will be checked against an independent consumer databse to validate their credentials.
- The Pledge – Applicants must pledge that they cannot and will not distribute software
that they know, or should have known, contains viruses or would otherwise maliciously
harm the user’s computer or code.
The value of an individual SPC is in the information it provides to users so they
can decide whether or not to download the code. Knowing who authored the code, and
that the bits have not been altered from the time the code was signed to the present,
is reassuring information. Additionally, a browser could be used to access a publisher's
Web pages so the user can obtain detailed information about the signed code, the
author, and the certificate authority. After learning about this code and the author,
the user might decide to run the code, or all future code, coming from this particular
individual.
Additional Information About Thawte® Code Signing Certificates:
- Thawte does not certify the content of a software publisher’s code. Code signing
certificates are only used to verify the publisher who signed the content and that
the content has not been altered or corrupted.
- It is of critical importance that you time stamp your code when signing it. Time
stamping ensures that signed code will not expire when the code signing certificate
expires. Signed code which has been time stamped is valid, even after the code signing
certificate has expired. A new certificate is only necessary if you want to sign
additional code. If you did not use the time stamping option during the signing,
you must re-sign your code whenever the code signing certificate changes due to
re-keying or renewal.
- In order to verify whether or not a file has been time stamped, follow these directions:
- Software publishers should ensure that their customers have the latest Microsoft
roots. For Windows XP, everything is automatic. For older versions of the Windows
operating system, it is highly recommended that the latest root update is installed.
Good security policy dictates that your root certificate store should have the most
current root certificate references from all trusted certification authorities,
thereby providing the widest capability to recognize trusted content.
Get in touch with Green SSL Certificates about purchasing the secure, reliable Thawte® Code
Signing Certificate — today.