Technology to allow secure downloading of software over the Internet has been announced by Microsoft and VeriSign. The new Microsoft Authenticode technology uniquely identifies the publisher of a piece of software and is intended to assure users that it has not been tampered with or modified.
Authenticode uses VeriSign's Digital IDs for software publishers, and is available in Microsoft Internet Explorer 3.0, beta 2. It will be implemented in the final release of Microsoft Internet Explorer 3.0 and the Windows NT and Windows 95 operating systems shortly, then ported to Macintosh and Unix operating systems, according to Microsoft.
To use Authenticode, software developers must go through an application and verification process to ensure that certificates are issued to bona fide vendors, not imposters. Once this is complete, they may obtain a digital certificate from a certifying authority such as VeriSign; Digital IDs (Class 2) for individual software publishers are priced at US$20 and Digital IDs (Class 3) for commercial software publishers cost US$400. Before making code available for download over the Internet, developers apply their digital signature to the code using Microsoft Authenticode technology.
Software companies and individual developers can get the Authenticode toolkit in the ActiveX SDK (http://microsoft.com/intdev/sdk/) that contains public and private key generation as well as code-signing utilities. Digital certificates can be obtained from VeriSign's Digital ID Centre (http://digitalid.verisign.com/).
Twenty software developers have already signed their code using Microsoft's Authenticode technology and VeriSign's Digital ID service (see Support for Microsoft, VeriSign move). Microsoft will use VeriSign brand code-signing Digital IDs during the next 12 months.