Internet2

InCommon is operated by Internet2

InCommon

About            Participants            Join InCommon

Certificate Service

Subscribe

Need Help?

Certificate Manager Login

Password Reset

Changing Exec/RAO

Official Documents

Choosing the Right Type of Certificate

Client Certificates

Code Signing Certificates

Extended Validation (EV) Certificates

IGTF Server Certificates

Subscribers

Resources/Documentation

FAQ



Code Signing Certificates

Activation for Departments

Instructions for activating code signing certificates are on the InC-Collaborate wiki.

Use of Code Signing Certificates

This information is based on section 3.2.3 of the Code Signing CPS. [PDF]

Code Signing Certificates are a standard part of the InCommon Certificate Service and are automatically available to Registration Authority Officers (RAOs) at all subscribing organizations. RAOs can determine whether or not to make Code Signing Certificates available at the department level.

Code Signing Certificates may be issued to individuals or to specifically identified departments. An organization may also elect to have a single code signing certificate or a group of certificates that identify the organization at large. It is the responsibility of subscriber organizations to authenticate and identify individual entities for which it issues Code Signing Certificates.

Subscriber organizations will issue certificates to its end users and/or specifically identified departmental organizations using a process that is at least as strong as its existing practice for managing accounts for central services such as electronic mail, calendaring, and access to central file storage.

For complete administrative details, see the Certification Practices Statement (CPS) for Code Signing Certificates [PDF]. We have also created a DIFF file that shows the changes [PDF] between the baseline SSL Certificate CPS and the Code Signing CPS.

Note: All code signing certificates, their issuance and use, are governed by the CPS. Subscribers are required to comply with its provisions.

Policy Issues

Issuance of Code Signing Certificates must comply with the corresponding Certification Practices Statement (CPS). Of particular note:

3.2.3.1 Special Rule for Code Signing Certificates: Code Signing Certificates are used by software on relying party's computers to verify that software downloaded and intended to run on their computer in fact originates from the source named in the certificate. However most software verification systems ONLY DISPLAY THE COMMON NAME FIELD of the code signing certificate used. It is therefore the responsibility of the organization Subscriber to ensure that this field properly identifies the organization entity responsible for signing the software. This field SHOULD NOT be filled in so as to confuse the relaying party as to the origin of the software or otherwise represent itself in a fraudulent manner.

4.2.1 Performing Identification and Authentication Functions: The Comodo website or API server validates that the “Country”, “ “Domain Name” and “Organization” fields of submitted CSRs are correct as determined at subscription time. It is the responsibility of the Subscriber institution to ensure that other relative distinguished name components are accurate for a given client certificate. In particular the institution must ensure that the Common Name (CN) relative distinguished name is properly provided. See 3.2.3.1.

Risk Perspective

An SSL certificate permits end users to establish a secure connection to a particular webserver located on your campus. By contrast, a Code Signing Certificate permits its holder to create software and distribute that software through any method to any personal computer in the world and it will run without significant warning. If the creator of the software signs malware, it will be traceable to the university.

Copyright 2004-2013 InCommon LLC. All rights reserved. info@incommon.org. InCommon is operated by Internet2.