Extended Validation; Safeguards & Code Signing Certificates
Certificate authority (CA) Globalsign indicated earlier in the month they would begin offering Extended Validation (EV) Code Signing Certificates.
Like standard Code Signing, EV Code Signing allows developers to digitally sign the applications and software they distribute over the Internet. The difference entails stronger levels of assurance and key protection adhering to strict guidelines set by the CA/Browser Forum and Microsoft Corp. Security enhancement for EV Code Signing.
In addition to the publisher's name, which is verified for standard Code Signing Certificates, other information about the publisher, such as physical address and type of organization, are validated. This type of verification process makes it more difficult for malware distributors to impersonate and obtain a code signing credential to use for signing and distributing malware under the guise of a legitimate development company.
While regular Code Signing Certificates can reside locally on a developer's machine, EV Code Signing Certificates must be stored on cryptographic tokens. Using physical two-factor authentication reduces the risk that the certificate can be stolen or copied and used to distribute malicious software under the identity of the actual certificate holder.
"Now more than ever, the Internet needs safeguards in place to help reassure end users that the software they are downloading is safe," said Lila Kee, chief product officer, GlobalSign. "Malware distributors have become increasingly savvy with new ways to circumvent browsers and operating system installers using falsified or stolen signing certificates. GlobalSign is adding EV Code Signing Certificates to its portfolio to ensure our customers and developers alike have availability to the strongest authentication and security practices out in the market today to protect not only their code, but also their identity and reputation."