Twenty software vendors have announced their support for the new Digital ID Authenticode technology, released this week by Microsoft and VeriSign, which will allow secure downloading of software over the Internet. The technology, which uses a system of digital signatures and certificates to help customers identify legitimate software vendors, assures that downloadable software has not been tampered with, and is the product of legitimate developers.
In order to implement the Authenticode technology, developers must go through an application and verification process and then purchase a digital certificate from a certifying authority such as VeriSign. Before making software available for download over the Internet, developers apply an Authenticode digital signature to their code to identify it as authentic and tamper-free.
Developers can sign code created with any development tool, including ActiveX Controls, Java applications, executables and dynamic link libraries (DLLs). Twenty software developers have already implemented the Microsoft Authenticode technology and VeriSign Digital ID service, including Farallon Communications, Fulcrum Technologies, FutureWave Software, Microcom, Progressive Networks, Software Publishing, Tumbleweed Software and Starfish Software. Microsoft and Verisign would not comment on whether more software companies are currently undergoing the review process.
"Authenticode supports our aims to make our software available for download over the 'Net," says Min Yoo, director of business development at Tumbleweed Software, who adds that the Internet will be the most important software distribution tool for Tumbleweed in the next few years.
While software vendors are promoting the technology as a security boon to the customer, analysts point out that it is important to remember that software companies have their own motivations. "The software vendors are playing to the tune of 'oh, let us make the download process safe for you,' when they are really interested in getting more people to buy their products," says Kathryn Hale, principal analyst at San Jose, California-based market research firm Dataquest.
Microsoft is also heralding the Authenticode technology as a protective security feature for consumers, but Hale believes Microsoft has its own commercial agenda as well. "Microsoft is pushing Authenticode as a security issue, when it is really about getting developers to create secure ActiveX applications so that Microsoft can play in the Java sandbox," says Hale. Java applications have a built-in security feature, called a sandbox, which authenticates the code to the person downloading it -- a feature ActiveX does not include, says Hale.
"We were mainly involved in this deal to make sure our ActiveX tool gets included in the Microsoft tool package," says Tumbleweed's Yoo.
But Farallon denies that its motivation was driven by the ActiveX tool issue. "We did not need to accept and use Authenticode in order to get our ActiveX control on the Microsoft SiteBuilder CD," says Ray Bayer. "The real motivation for Farallon was to improve the customer experience so that they can feel as confident downloading our software as buying it shrink- wrapped," says Bayer.
Authenticode is available now with Microsoft Internet Explorer 3.0 beta 2, but will soon be integrated into the Windows 95 and NT, Macintosh and UNIX operating systems, according to Microsoft. Digital IDs from VeriSign, which Microsoft has committed to using for 12 months, will range from US$20 for individual software publishers to $400 for commercial software publishers.
The Authenticode toolkit, which contains public and private key generation and code-signing utilities, is available in the ActiveX SDK at http://microsoft.com/intdev/sdk/. VeriSign digital IDs are available at http://digitalid.verisign.com/.