Code Signing Digital IDsSM for Microsoft
Office 2000/Visual Basic for Applications (VBA)
Realizing the Possibilities of Internet Software Distribution

What is Developer Code Signing?
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products. When customers download software from the Internet, the most they see is a message warning them about the dangers of using the software. The Internet lacks the subtle information provided by packaging, shelf space, shrink wrap, and the like. Without an assurance of the software's integrity, and without knowing who published the software, it's difficult for customers to know how much to trust software. It's difficult to make the choice of downloading the software from the Internet.

The solution to these issues is Digital IDs from VeriSign, Microsoft's preferred provider of digital certificate services. Through the use of digital signatures, software developers can include information about themselves and their code with their programs.

When users download software code signed with Digital ID's from VeriSign, they can be assured of:
  • Content Source: The software really comes from the publisher who signed it.
  • Content Integrity: The software has not been altered or corrupted since it was signed.
Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong deterrent to the distribution of harmful code. Developers benefit from Office 2000/VBA Macro Signing because it puts trust in their name and makes their products harder to falsify. By signing code, developers build a trusted relationship with users, who then learn to confidently download signed software from that publisher. With Office 2000/VBA Macro Signing, developers can create signed macros and users can make educated decisions about what software to download, knowing who published the software and that it hasn't been tampered with.


Who Needs a Code Signing ID?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. VeriSign Code Signing IDs for Office 2000/VBA protect against these hazards. In particular, if you are distributing macros you will want to sign them using VeriSign Software Publisher IDs for Office 2000/VBA.

VeriSign offers A Class 3 Digital ID designed for Commercial Software Publishers. These are companies and other organizations that publish software. This class of Digital IDs provides greater assurance about the identity of a publishing organization and is designed to represent the level of assurance provided today by retail channels for software.


What does Office 2000/VBA Macro Signing Look Like to Consumers?
Microsoft Word, Excel, PowerPoint and Outlook 2000 applications support signing and verifying digital signatures on VBA code. Other 3rd party applications with VBA 7.0 may also support digital signatures in VBA code (check with your application). If an end user of one of these applications encounters an unsigned VBA macro , the following will occur:
  • If the application's security settings are set on "High," the client application will not permit the unsigned code to run.
  • If the application's security settings are set on "Medium," the client application will display a warning to ask the user if they want to enable or disable this unsigned code.
By contrast, if a user encounters signed VBA code in a file, The user is informed:
  1. Of the true identity of the publisher (in this case Microsoft Corporation).
  2. That there is no problem with the certificate (the lack of additional warnings)
  3. The Details button will show the certificate, whose authenticity is provided by VeriSign.
Users can choose to trust all subsequent VBA code from the same publisher source.

Simply by clicking the "More Info" button, users can inspect the certificate and verify its validity.


Technical Overview: (Optional Reading)

What is a Digital ID?
A Digital ID (also known as a digital certificate) is a form of electronic credentials for the Internet. Similar to a driver's license, employee ID card, or business license, a Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA).

Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys--a public key and private key--which function only when they are held together. Public keys are widely distributed to users, while private keys are kept safe and only used by their owner. Any code digitally signed with the publisher's private key, can only be successfully verified using the complementary public key. Another way to look at this is that code successfully verified using the publisher's public key (which is sent along with the digital signature), can only have been digitally signed using the publisher's private key (thus authenticating the source of the code), and has not been tampered with. For more information on public keys and private keys, please see Introduction to Public Key Cryptography.

The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA such as VeriSign issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues you a passport it is officially vouching for the fact that you are who you say you are, when a CA issues you a digital certificate it is putting its name behind the statement that you are the rightful owner of your public/private key pair.

Certification Authorities
Certification Authorities, such as VeriSign, are organizations that issue digital certificates to applicants whose identity they are willing to vouch for. Each certificate is linked to the certificate of the CA that signed it.

As the Internet's leading Certification Authority, VeriSign has the following responsibilities:
  1. Publishing the criteria for granting, revoking, and managing certificates.
  2. Granting certificates to applicants who meet the published criteria.
  3. Managing certificates (for example, enrolling, renewing, and revoking them).
  4. Storing VeriSign's root keys in an exceptionally secure manner.
  5. Verifying evidence submitted by applicants.
  6. Providing tools for enrollment.
  7. Accepting the liability associated with these responsibilities.
  8. Time stamping digital signatures.
How does Office 2000/VBA work with VeriSign Digital IDs?
Office 2000/VBA relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology.

Office 2000/VBA uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature, and the corresponding public key validates it. To save time, the Office 2000/VBA protocols use a cryptographic digest, which is a one-way hash of the document.

The process is outlined below:
  1. Publisher obtains a Code Signing Digital ID from VeriSign.
  2. Publisher creates code.
  3. Using the Office 2000 Utility, the publisher:
    • Creates a hash of the code, using an algorithm such as MD5 or SHA,
    • Encrypts the hash using his/her private key,
    • Creates a package containing the code, the encrypted hash, and the publisher's certificate.
  4. The end user encounters the package.
  5. The end user's Office 2000 Utility examines the publisher's Digital ID. Using the VeriSign root Public Key, which is already embedded in Office 2000/VBA-enabled applications, the end user's Office 2000 Utility verifies the authenticity of the Code Signing Digital ID (which is itself signed by the VeriSign root Private Key).
  6. Using the publisher's public key contained within the publisher's Digital ID, the end user Office 2000 or VBA application decrypts the signed hash.
  7. The end user's Office 2000 or VBA application runs the code through the same hashing algorithm as the publisher, creating a new hash.
  8. The end user's Office 2000 or VBA application compares the two hashes. If they are identical, the browser messages that the content has been verified by VeriSign, and the end user has confidence that the code was signed by the publisher identified in the Digital ID, and that the code hasn't been altered since it was signed.
The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by VeriSign.

Timestamping
Because key pairs are based on mathematical relationships which can theoretically be "cracked" with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your VeriSign Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, VeriSign and Microsoft introduced a timestamping service. Now, when you sign code, a hash of your code will be sent to VeriSign to be timestamped. As a result, when your code is downloaded, clients will be able to distinguish between:
  • Code signed with an expired certificate, which should NOT be trusted, and
  • Code signed with a certificate which was valid at the time the code was signed, but which has subsequently expired. This code SHOULD be trusted.
This means that you will not need to worry about resigning code when your Digital ID expires. VeriSign is the only certification authority offering the time stamping service. This service is free to all VeriSign Commercial and Individual Code Signing ID customers.


The Six Steps to Signing Code
Signing Code is an easy six-step process. By following the instructions below, you will be signing code in no time.

Step 1: Make Sure that you Are Running the Correct Versions of all Tools:
These include:
  1. Internet Explorer 4.0 or later
  2. Win98 or Window 2000
These tools are all available free of charge at:

Step 2: Apply for a Code Signing ID for Office 2000 from VeriSign
Go to http://digitalid.verisign.com/developer/ms_pick.htm for instructions on obtaining a Code Signing Digital ID.

In the process of applying for a Code Signing ID, your browser will generate a private key. You should store this private key (called MyPrivateKey.pvk) on a floppy disk, which is stored in a safe deposit box or other secure location. Please make a back-up copy of this private key, as you will need this key to sign code. This key is never sent to VeriSign, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact VeriSign immediately.

Step 3: Pick up your Digital ID
Once you have completed the application process, VeriSign will take a number of steps to verify your identity. For commercial publishers, VeriSign does a considerable amount of background checking. As a result, it will take approximately 3-5 days to verify your information and issue a Digital ID. At the end of this process, VeriSign will send you an e-mail containing a PIN (Personal Identification Number). Follow the instructions in this e-mail to pick up your Digital ID. Save your Digital ID as a file (e.g. MyCredentials.spc).

Please note that you must use the same machine to apply for and obtain your Digital ID. You can then use the private key and Digital ID to sign files on a different machine.

Step 4: Preparing for Timestamping
Set the registry key:

HKEY_Current_User\Software\Microsoft\VBA\Security\TimeStampURL

to: http://timestamp.verisign.com/scripts/timstamp.dll

That is the URL for VeriSign's timestamping service. Please note that "timstamp.dll" does not contain the letter "e"

Step 5. Sign your Files
You can now sign your .doc, .dot, .xls, .xlt, .xla, .ppt, .pps, and .ppa files. To sign, load the file in the appropriate Office application, and use the Digital Signature command on the Tools menu in the Visual Basic Editor.

Step 6: Test Your Signature.
Close and reopen your file with the appropriate Office Application. If your signing process was OK, this will bring up a security warning with the digital signature information. Congratulations, you have just digitally signed your file. If the file is tampered with in any way after it has been signed, Office will attempt to resign. If the current user does not have the certificate, the user will be notified. This makes it easy for you to edit your macros and keep them signed. To add more security for your private key, we recommend you password protect your private key.


How Do You Require Password before the Application Reuses Your Private Key
With Internet Explorer 5, you can make it so that a user has to type a password before Office uses the private key of any of your personal certificates. This should prevent the unauthorized use of your certificate if you leave your machine unsecured. The password prompt helps to notify you when your project has changed and Office is attempting to automatically resign your code. If you did not intentionally change your code, forms, or add/remove ActiveX controls, then you should suspect a virus entered your VBA code.

To set a password for your private key, follow the same instructions for "Using the Internet Explorer 5 Security UI to Export" and "Using the Internet Explorer 5 Security UI to Import" above.
  • When in the Certificate Manager Import Wizard, choose the "Enable strong private key protection" checkbox (you will see this checkbox in the same dialog where you enter the password for your exported PFX file).
  • When you choose to Finish the Wizard, you will see a Private Key Container dialog, choose the Set Security Level... button
  • Choose the High option to specify a password. Choose Next.
  • Write your name in the Password for textbox.
  • Type your new Password for that name, and Confirm it.
  • Choose Finish
  • The Certificate Store will ask you for the password again. This is the dialog that you will see whenever your private key is used. It specifies what the private key is being used for, and asks for your password to authorize it. Type your password.
  • Choose OK to finish.

Conclusion
Microsoft and VeriSign are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Code Signing for Office 2000/VBA and VeriSign's Code Signing Digital IDs, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.

For more information on Code Signing IDs for Microsoft Office 2000/VBA, including pricing, availability, and Frequently Asked Questions, please visit http://www.verisign.com/developers.

For more information on Office 2000 Macro Security, go to http://technet.microsoft.com/cdonline/Content/Complete/Desk/Office/
TechNote/o2ksec.htm to obtain the Microsoft Office 2000 Macro Security White Paper.


© 2002 VeriSign, Inc. All rights reserved. Legal Notices
Main Phone: 650-961-7500 · Fax: 650-961-7300
Sales: 650-426-5115