Code Signing Certificates
Activation for Departments
Instructions for activating code signing certificates are on the InC-Collaborate wiki.
Use of Code Signing Certificates
This information is based on section 3.2.3 of the Code Signing CPS. [PDF]
Code Signing Certificates are a standard part of the InCommon Certificate Service and are automatically available to Registration Authority Officers (RAOs) at all subscribing organizations. RAOs can determine whether or not to make Code Signing Certificates available at the department level.
Code Signing Certificates may be issued to individuals or to specifically identified departments. An organization may also elect to have a single code signing certificate or a group of certificates that identify the organization at large. It is the responsibility of subscriber organizations to authenticate and identify individual entities for which it issues Code Signing Certificates.
Subscriber organizations will issue certificates to its end users and/or specifically identified departmental organizations using a process that is at least as strong as its existing practice for managing accounts for central services such as electronic mail, calendaring, and access to central file storage.
For complete administrative details, see the Certification Practices Statement (CPS) for Code Signing Certificates [PDF]. We have also created a DIFF file that shows the changes [PDF] between the baseline SSL Certificate CPS and the Code Signing CPS.
Note: All code signing certificates, their issuance and use, are governed by the CPS. Subscribers are required to comply with its provisions.
Issuance of Code Signing Certificates must comply with the corresponding Certification Practices Statement (CPS). Of particular note:
18.104.22.168 Special Rule for Code Signing Certificates: Code Signing Certificates are used by software on relying party's computers to verify that software downloaded and intended to run on their computer in fact originates from the source named in the
certificate. However most software verification systems ONLY DISPLAY THE COMMON NAME FIELD of the code signing certificate used. It is therefore the responsibility of the organization Subscriber to ensure
that this field properly identifies the organization entity responsible for signing the software. This field
SHOULD NOT be filled in so as to confuse the relaying party as to the origin of the software or otherwise
represent itself in a fraudulent manner.
4.2.1 Performing Identification and Authentication Functions:
The Comodo website or API server validates that the “Country”, “ “Domain Name” and “Organization” fields of submitted CSRs are correct as determined at subscription time. It is the responsibility of the
Subscriber institution to ensure that other relative distinguished name components are accurate for a
given client certificate. In particular the institution must ensure that the Common Name (CN) relative
distinguished name is properly provided. See 22.214.171.124.
An SSL certificate permits end users to establish a secure connection to a particular webserver located on your campus. By contrast, a Code Signing Certificate permits its holder to create software and distribute that software through any method to any personal computer in the world and it will run without significant warning. If the creator of the software signs malware, it will be traceable to the university.