Downloading programs via web browser can be a tricky proposition these days, thanks to the constant threat of malware. Microsoft has for the past several years created a system it calls SmartScreen that tries to alert Windows and Internet Explorer users if they might be downloading a suspicious program.
For Windows 8, Microsoft has set up the Windows Store to download programs with Microsoft's "modern" user interface. That system has its own internate certification program that's run by Microsoft. However, the company also knows that there will be plenty of Windows 8 users that will stick with the traditional desktop and download programs via Internet Explorer.
Today, in a new entry on the official IE blog, Microsoft announced that it has put its support behind a new software security system called the extended validation (EV) code signing certificate. EV code signing certificates are now supported in Microsoft's SmartScreen system for Windows 8, along with Internet Explorer 9 and 10. Microsoft also talks about the benefits of EV for software developers and consumers:
First, they require a more rigorous vetting and authentication process similar to that of EV SSL certificates that are in use today. This process requires a comprehensive identity verification and authentication process for each developer. Secondly, the EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of a code signing certificate.
Microsoft said that EV code signing certificates are now available from two software security companies, Symantec and DigiCert. Microsoft is also not forcing PC software developers to spend money to obtain EV certificates for their desktop programs. The blog states:
Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.
Source: Internet Explorer blog