Important Release Information
Microsoft Authenticode version 2.0 was coupled with Microsoft Internet Explorer 4.0, and it contains changes and enhancements over the previous version of Authenticode, which was released with Microsoft Internet Explorer 3.02 UPD. Another version of Authenticode was released for Microsoft Internet Explorer 5 and later.
The version of Authenticode that was released with Internet Explorer 3.02 UPD added several new, important code-signing features that improved on the initial implementation of Authenticode. Both the code-signing tools and browsers were updated with a new infrastructure that provides for these new features. The two most important features are:
- The addition of a verifiable signature time stamp. When a software publisher's certificate expires, it is impossible to determine if the software was signed during the valid period of the certificate without incorporation of a verifiable signature time stamp. Authenticode version 2.0 incorporates time stamping support in both the signing and verification tools. In addition, VeriSign will be supporting a verifiable time stamping service for Authenticode signing purposes.
- Inclusion of certificates in the certification authority verification hierarchy that expired on June 30, 1997. Earlier versions of Windows Internet Explorer are now unable to verify Authenticode signatures after that date. Internet Explorer version 3.02 UPD and later versions resolve this by eliminating these short-lived certificates. Signatures on certificates issued by VeriSign will properly verify until expiration of the VeriSign root certificate.
The Authenticode version for Internet Explorer 4.0 contains the same infrastructure and features as the Internet Explorer 3.02 UPD release. However, to provide a more consistent user interface, many of the command line option flags have been renamed or changed, and a few new ones have been added.
As a result of these Authenticode improvements, the following steps need to be taken:
- Software publishers need to re-sign their code using the Authenticode version 2.0 tools for Internet Explorer 3.02 UPD or later in order for users to be able to verify their signed files after June 30, 1997.
- Users need to upgrade to Internet Explorer 3.02 UPD or later in order to verify signed files after June 30, 1997.
Note that once files are re-signed, users of Internet Explorer versions earlier than 3.02 UPD will not be able to verify the re-signed files. But after July 1, 1997, users of Internet Explorer versions earlier than 3.02 UPD will not be able to verify any signed files, whether the files have been re-signed with the new tools or not. It is clearly in the users' best interest to upgrade to Internet Explorer 3.02 UPD or later to be able to continue to verify signed files. So software publishers should be able to re-sign their code using the new tools with confidence that users will be able to verify the files.
Additionally, by using the VeriSign service to time stamp the new signatures, software publishers gain the added benefit that the digital signatures will not need to be re-signed when their own software publishing certificate expires.