Microsoft PressPass – Microsoft and VeriSign Provide First Technology For Secure Downloading of Software Over the Internet
REDMOND, Wash., Aug. 7, 1996 — Microsoft Corp. and VeriSign Inc. today announced that the first technology to allow secure downloading of software over the Internet is now available. Using VeriSign’s Digital IDsSM for software publishers, the new Microsoft®
Authenticode technology uniquely identifies the publisher of a piece of software and provides assurance to end users that it has not been tampered with or modified. The combined technologies provide accountability for software distributed over the Internet, and protect against the spread of malicious code. Authenticode technology is supported today in Microsoft Internet Explorer 3.0, beta 2.
“VeriSign is pleased to have worked with Microsoft to provide the first Digital ID service for Authenticode, allowing users to securely download content over the Internet,”
said Stratton Sclavos, president and CEO of VeriSign Inc.
“The Internet’s global reach provides an incredible distribution channel for software vendors. With this service, users can feel confident that the applications they receive are authentic and tamper-proof.”
Uses Digital Signature Technology
Under the Authenticode program, developers must go through an application and verification process to ensure that certificates are issued only to the appropriate party. This eliminates any worry that developers could be falsely represented by an impostor. Once developers have been through this process, they then obtain a digital certificate from a certifying authority such as VeriSign. Then, before releasing their code on the Internet, developers apply their digital signature to the code using Microsoft Authenticode technology.
“We’re very excited that end users can now download software over the Internet, feel confident about where the software came from, and know that it hasn’t been altered in transit,”
said Pat Boyle, product manager for RealAudio development tools at Progressive Networks.
Now users can download the RealAudio ActiveX
™Control and feel confident it is the real thing.”
Developers can sign code created with any development tool – including ActiveX Controls, Java
applications, executables and dynamic link libraries (DLLs). Once these programs have been signed, users can validate that the code has not been modified after the signature was attached. If code has been tampered with, Microsoft Internet Explorer 3.0 displays a warning that the digital signature could not be verified, thereby alerting the user to the risk of compromised code.
“Authenticode technology is an important complement to any existing Java environment,”
said B.C. Krishna, vice president of technology for FutureTense Inc.
“By using Authenticode to digitally sign the Java-powered FutureTense Texture Viewer, we provide an extra layer of security that our customers seek.”
Open Industry Standard
Authenticode and VeriSign’s Digital ID service support Internet standards, including the X.509 certificate format and PKCS #7 signature blocks. In April 1996, Microsoft submitted a code-signing proposal supported by more than 40 companies to the World Wide Web Consortium (W3C) to facilitate the standardization of criteria for responsible software publishing, and the format of the digital certificates and signatures. Microsoft is continuing to work with the W3C to ensure that code-signing technology remains based upon open, cross-platform standards. The code-signing specification is also freely available for any software vendor to implement independently.
“The development of Authenticode reflects Microsoft’s commitment to creating open and interoperable security technologies for the Internet community,”
said Hank Vigil, general manager of the electronic commerce group at Microsoft.
“Microsoft is pleased to be working with the standards bodies and a broad range of technology partners. In particular, VeriSign has played a critical role in providing authentication services and pioneering this new technology with Microsoft.”
Microsoft Internet Security Framework
Authenticode is part of the Microsoft Internet Security Framework (MISF), a comprehensive set of cross-platform, interoperable security technologies for electronic commerce and online communications that support Internet security standards. MISF includes certificate services for management and authentication, a certificate server, support for client authentication, and a
Additional MISF services include comprehensive cryptography services, code signing, an implementation of the Secure Electronic Transactions (SET) protocol for credit-card transactions, secure transfer of personal security information, and support for secure sockets layer (SSL) and private communications technology (PCT) protocols. Availability and Pricing
Authenticode technology is supported today in Microsoft Internet Explorer 3.0, beta 2. It will be implemented in the final release of Microsoft Internet Explorer 3.0 and the Windows NT® and Windows® 95 operating systems shortly, with subsequent porting to Macintosh® and UNIX®
operating systems. Authenticode technology is available free of charge.
Digital IDs (Class 2) for individual software publishers at $20 or Digital IDs (Class 3) for commercial software publishers at $400 are now available through VeriSign’s Digital ID CentersSM.
Software companies and individual developers interested in signing their code need to obtain the Authenticode toolkit in the ActiveX SDK ( http://msdn.microsoft.com/workshop/misc/activexsdk/ ) that contains public and private key generation as well as code-signing utilities. Developers can then apply for a software publisher digital certificate from VeriSign’s Digital ID Center ( (http://digitalid.verisign.com/ ).
Software Companies Already Using Authenticode
Twenty software developers have already signed their code using Microsoft’s Authenticode technology and VeriSign’s Digital ID service. Microsoft will use VeriSign brand code-signing Digital IDs during the next 12 months. The leading software vendors using the Authenticode service include Autodesk Inc., Citrix Systems Inc., Cornerstone Imaging Inc., Dimension X, Farallon Communications Inc., Fulcrum Technologies Inc., FutureTense Inc., FutureWave Software Inc., ichat Inc., mBED Software, Media Architects Inc., Microcom Inc., Narrative Communications Corp., nCompass Labs Inc., Progressive Networks, Software Publishing Corp., Starfish Software Inc., Totally Hip Software Inc., Tumbleweed Software Corp. and Vivo Software Inc.
For more information about Authenticode and Microsoft’s Internet Security Framework, see the following Web sites: http://www.microsoft.com/security/ or http://www.microsoft.com /intdev/signcode/.
VeriSign Inc., the only company focused 100 percent on digital authentication products and services, provides its customers with the confidence necessary to conduct electronic commerce worldwide. VeriSign Digital IDs use today’s strongest cryptographic techniques to provide a trusted means of authenticating the identity of each party in an electronic transaction. They play a key role in ensuring the security for electronic transactions and communications. VeriSign is leading the industry by being first to market with server Digital IDs, client Digital IDs and now test SET certificates.
VeriSign was founded as a spin-off of RSA Data Security in April 1995. The company is working with its investors and partners such as Microsoft, Netscape, AOL and IBM to open the digital marketplace to all consumers. For more information, contact VeriSign at (415) 961-7500, or visit their Web site at (http://www.verisign.com/) .
Founded in 1975, Microsoft (NASDAQ
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.
Microsoft, ActiveX, Windows NT and Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
VeriSign is a service mark and trademark and Digital ID and Digital ID Center are service marks of VeriSign Inc.
Java is a trademark of Sun Microsystems Inc.
Macintosh is a registered trademark of Apple Computer Inc.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd.
For more information, press only:
Julie Hatchett, MacKenzie Kesselring, (801) 359-1005, [email protected]
Margit Wennmachers, (415) 512-0500, [email protected]
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://microsoft.com/presspass/ on Microsoft’s corporate information pages.
Media Contact List
Autodesk Inc. (http://www.autodesk.com/) Garth Bradley (415) 507-6530
Citrix Systems Inc. (http://www.citrix.com/) Vicky Harris (954) 340-2246
Cornerstone Imaging Inc. (http://www.pixtran.com/top/products/isisez/activex/) Dana E. Parker (408) 325-3978
Dimension X (http://www.dimensionx.com/) Megan McFeely (415) 243-0900
Farallon Communications Inc. (http://www.farallon.com/) Amal Abed (510) 814-5307
Fulcrum Technologies Inc. (http://www.fulcrum.com/) Gillian Brouse (613) 238-1761 ext. 251
FutureTense Inc. (http://www.futuretense.com/) B.C. Krishna (508) 263-5480
FutureWave Software Inc. (http://www.futurewave.com/) Xenia Moore (619) 274-5959
ichat Inc. (http://www.ichat.com/) Harry Pape (512) 349-0339 ext. 27
mBED Software (http://www.mbed.com/) William Ford (415) 778-0933
Media Architects Inc. (http://www.mediarch.com/) Paul Needham (503) 639-2505
Microcom Inc. (http://www.microcom.com/) Tom May (617) 551-1696
Lydia Loizides (604) 606-0950
Progressive Networks (http://www.realaudio.com/) Jay Wampold (206) 674-2700
Software Publishing Corp. (http://www.spco.com/) Helen Kendrick (408) 537-3197
Starfish Software Inc. (http://www.starfishsoftware.com/) Gregg Armstrong (408) 461-5840
Totally Hip Software Inc. (http://www.totallyhip.com/) Shelley Voyer (604) 685-6525
Tumbleweed Software Corp. (http://www.tumbleweed.com/) Mark Pastore (415) 569-3686
Vivo Software Inc. (http://www.vivo.com/) Daud Power (617) 899-8900 ext. 313