Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

Microsoft's Authenticode is part of its larger Internet Security Framework. It attempts to solve one of the larger questions facing the software industry today: How can users trust code that is published on the Internet? It provides a way to sign code so users know that programs obtained from the Internet are legitimate, just as shrink wrap and sealed boxes imply that off-the-shelf packaged software is authentic. Authenticode provides the following:

• Authenticity, so you know who published the code


• Integrity, so you know that code hasn't been tampered with since it was published


• A legitimate and safe way to exchange programs over the Internet

The basic procedure for signing code is for a publisher to get a certificate from a certification authority. The publisher then encrypts its digital signatures into the code with its private key to create a unique digital signature (note the signatures are inserted directly into the program file). The code can then be verified using functions that validate the digital signature, as discussed under "Certificates and Certification Systems." The functions indicate whether the code is valid or whether it is possibly fake or has been tampered with.

While Authenticode is a Microsoft initiative, Netscape and JavaSoft have developed their own code-signing technology called JAR (Java Archive Format). Still other vendors are developing their own technologies. The W3C (World Wide Web Consortium) at http://www.w3.org is attempting to consolidate these digital signing and certificate technologies into a single framework called the Digital Signature Initiative.

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.