Although Microsoft’s Authenticode technology should work with software publisher digital certificates from any recognized certification authority, as this book went to press the only CA that was issuing these certificates was VeriSign.

VeriSign issues two kinds of software publisher’s certificates (sometimes called software publisher’s credentials): individual certificates and commercial certificates. Personal certificates are based on VeriSign’s Class 2 digital certificates. Commercial certificates are based on VeriSign’s Class 3 certificates, similar to the company’s web server certificates. (You do not need to have a web server or a domain of your own to obtain either kind of software publisher’s certificate.)

VeriSign’s certificate requesting process is performed on the company’s Digital ID web site. Keys must be generated with Microsoft Internet Explorer 3.0 or higher. As this book went to press, keys could only be generated on computers running the Windows 95 or Windows NT 4.0 operating systems.

Keys are generated by an ActiveX control that is downloaded to the web browser. The ActiveX control invites you to store the private key on removable media, such as a floppy disk. Because floppy disks are not terribly reliable, you should copy your private key to at least one other floppy disk. Private keys are not encrypted with passphrases.

After the key is created, the public key is transmitted to VeriSign over the Internet. VeriSign validates the user’s request and sends the user a URL and a PIN that can be used to retrieve the software publisher’s certificate.

Figure 9-12. Microsoft’s Internet Explorer will warn the user if unsigned code is being downloaded