1

Is there some reliable way to detect whether a particular code signing certificate is a "Class 3" certificate?

This crops up as a requirement in a lot of Microsoft's Authenticode documentation, but it's never made clear how to tell a Class 3 cert from any other kind of cert. Sometimes it's clear enough from just reading the details - e.g., VeriSign include the phrase "Class 3 Code Signing" in their certificate subjects when signing your cert. But looking for particular text in the subject of certificates in the certification path seems flakey.

By observation, it seems that a combination of and "Enhanced Key Usage" that includes "Code Signing (1.3.6.1.5.5.7.3.3)", plus being signed by trusted CA is a common feature, but I've not read anything that suggests that this would be a reliable test.

Ian Griffiths
  • 14,302
  • 2
  • 64
  • 88
  • There are valid class 2 verisign certificates with 'Code Signing' (at least one my machine :-). Where have you seen that "class 3" requirement? The Authenticode specification available here: http://msdn.microsoft.com/en-us/library/gg463180.aspx doesn't say anything about "class 3", only about the Code Signing oid. AFAIK, class 3 is an "internal" Verisign check (that has spread to others CAs) – Simon Mourier May 30 '14 at 08:10
  • It looks like the requirements have changed since I wrote this (and I can see pages have changed in the wayback machine archive). Various things used to require 'Class 3' certs (e.g., signing up for WER, signing certain kinds of drivers) but it looks like EV certs are what's now required, and the docs have been updated accordingly. (The Authenticode spec itself didn't refer to this, but some features and services required not just the use of Authenticode, but signature with a cert that has certain characteristics.) – Ian Griffiths May 30 '14 at 11:56
  • Indeed winqual did required a VeriSign-only certificate (and that is changing this year as you say, they're ok with DigiCert as well) but I think the term "class 3" is just because it was the only one available from VeriSign for Authenticode back then. I don't think anything special has ever been written in these kind of certificates, it's just for display. – Simon Mourier May 30 '14 at 13:42

0 Answers0