Microsoft Announces New EV Code Signing Requirements

Cybercriminals today target critical and sensitive data by repackaging popular free applications and infecting them with malware, spyware, adware, and Trojans. BitDefender reports that 1.2% of all mobile applications are legitimate applications that have been repackaged to deliver ads and collect user information.

On December 3, 2013, Microsoft announced that starting on March 15, 2014, all new UEFI code submissions must be signed by an Extended Validation (EV) Code Signing Certificate, with a deadline of August 15 for existing submitters to migrate applications to be signed with an EV Code Signing Certificate.

The EV validation process requires developers to undergo a thorough identity verification process defined by standards and recommendations produced in bodies such as the CA/Brower Forum, CA Security Council, and the Internet Engineering Task Force (IETF). DigiCert recognized this opportunity to enhance application security and worked with Microsoft to offer EV Code Signing Certificates ahead of the implementation timelines announced.

Because of the more detailed validation process, EV Code Signing Certificates carry more implicit trust than standard Code Signing Certificates. This additional level of trust grants applications immediate reputation with the Windows 8 SmartScreen Filter and ensures the authenticity of applications online and in App Stores. The EV Code Signing requirement from Microsoft will enhance application security and improve online trust.

Programs signed by an EV Code Signing Certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. We think the improvements in the vetting and security of these certificates are a great development for both users and developers.

—Jeb Haber, Lead Program Manager, Microsoft Windows SmartScreen

The need for secure software is greater than ever. The pressure on application developers will continue to increase as new threats to the security of user data emerge. While developers already focus on application and software security during the development process, EV Code Signing ensures continued security after software has been released to the public.

By digitally signing all applications and custom drivers with a Code Signing Certificate, developers can assure users that applications are authentic and created by the original developer.

Posted in Announcements, Product, Uncategorized