Dear Software Publisher, This letter is to inform you: a)Of the changes in the next version of Authenticode b)How these changes will improve your ability to distribute code beyond the expiration date on your certificate c)What steps you need to take to take advantage of these changes] An Authenticode(tm) certificates that you obtained from VeriSign will expire on February 27, 1998. Under the current version of Authenticode, Internet Explorer (for Windows 95 and Windows NT 4.0) will treat the code signed with these certificates as expired code once these certificates expire. Also, the root certificates that Microsoft generated that are recognized by IE will expire on June 30, 1997. Microsoft and VeriSign have worked together to implement changes in Authenticode 2.0 which will solve these problems by: 1) Renewing all the root certificates and 2) Introducing a verifiable timestamp signature. This mail summarizes how these changes will affect signed code and how to ensure that your signed code is verified correctly with Internet Explorer after June 30, 1997. There are several technical issues in the previous version of Authenticode technology that are being addressed in the current release. WHAT ARE THE ISSUES? By design, certificates expire in order to enhance the integrity of the certificate and prevent the indefinite use of a certificate. Certificates, such as those provided by VeriSign, provide assurance to the end-user of the identity and financial viability of the software publisher. By creating this "valid time window" for a certificate, the design of Authenticode limits the potential damage that can arise from a compromised certificate and provides the basis for end-user trust. However, certificate expiration will cause two issues in the short term. First, a critical Microsoft root certificate, used in older versions of Internet Explorer, will expire on June 30, 1997. This will require all Internet Explorer users to update to Authenticode 2.0. Second, under Authenticode 1.0, when a software publisher's certificate expires, it is difficult to determine if the software signed by this certificate was signed during the valid period of the certificate. Without incorporating a verifiable signature timestamp service, Internet Explorer will be unable to verify Authenticode signatures after the certificates issued by VeriSign and other CA's expire. HOW DOES AUTHENTICODE 2.0 ADDRESS THESE ISSUES? First, Authenticode 2.0 renews the critical Microsoft root certificate discussed above. Second, Authenticode 2.0 resolves the issues with software publishers certificates by incorporating timestamping support in both the signing and verification tools. In addition, VeriSign has introduced a verifiable timestamping service for code signing purposes. Through these steps, Authenticode 2.0 eliminates "short lived" signatures and the problems associated with keeping your signatures current. Authenticode 2.0 also provides the infrastructure for future versions of Internet Explorer to enable Certificate Revocation. WHAT SHOULD YOU DO? IN THE SHORT TERM: All of your signed code needs to be re-signed with timestamps using the new code signing tools that are being released by Microsoft with Authenticode 2.0. You must sign these components before your certificate expires. However, these newly signed components should not be released before June 30. Please note that versions of Internet Explorer prior to IE 3.02 will not be able to upgrade to AuthentiCode 2.0 and will therefore not recognize timestamped signatures. Microsoft will be urging all Internet Explorer users to upgrade to IE 3.02 and the Authenticode 2.0 Update beginning June 3rd. Publishers are encouraged to do so also, and are allowed to host the client Authenticode 2.0 Update themselves, if desired. To download the new Authenticode 2.0 signing tools and for any further questions related to this, please visit the website http://iptdweb.microsoft.com/resign using the ID and password listed below [passwords omitted] AFTER JUNE 16: Authenticode 2.0 also provides the infrastructure for future versions of Internet Explorer to enable Certificate Revocation. Starting June 15, VeriSign will begin offering an on-line status service. Together, these will provide users with up-to-the minute information about the status of software publishers, and enable the use of downloaded code in high-trust environments. As mentioned above, certificates expire after one year. However, with the use of timestamping, the software signed by certificates can have much longer lifetime. On June 15, VeriSign will offer several subscription options for maintaining a record of your certificate in the status server beyond the one year expiration date. If you chose to use this subscription service, VeriSign will issue a special status certificate, and maintain that certificate for multiple years. While publishers will not be able to sign code with these subscription status certificates, users accessing the status service will be able to determine: a)Which certificates have expired, but have not been revoked. By extension, timestamped code signed by these certificates within the validity period should be trusted. b)Which certificates, in addition to having expired, have also been revoked. (E.g. Due to private key compromise). By extension, even if the code was signed and timestamped when the certificate was valid, users would be advised not to trust the code. VeriSign will be sending you a notice in early June with the details of this new service. By working together in this way, Microsoft and VeriSign will effectively extend the lifetime of software, even in a highly security conscious environment. CONCLUSION Microsoft's goal is to keep Internet Explorer and Microsoft Authenticode Technology a highly secure and easy to use platform for executing downloaded code. Your efforts to provide a reliable authenticity and integrity mechanism by using Authenticode technologies is greatly appreciated and we at Microsoft are working to incorporate the needs of the end-users as well as software publishers to help improve the software distribution process. If you have questions with regards to Authenticode 2.0 please direct them to safecode@microsoft.com. For future updates to this letter, please visit http://www.microsoft.com/security The Authenticode Team Microsoft Corporation