The VeriSign issued Symantec Corporation digital code certificate which has already been used for 3 years will be expired on Nov.24th. 2010. Symantec has applied a 3-year code signing certificate which starts from Sept. 8th 2010. Now I do have the following concern due to this situation.
As far as I know, Symantec has used digital certificate in order to ensure the effectiveness of the code of its program since 2001.
Here are the two things I am quite interested in:
1, Since 2007, VeriSign Class 3 Code Signing 2004 CA, the secondary digital certificate authority owned by VeriSign, has always issued 3-year digial certificates to software manufacturers directly and this tendency has become more and more significant since the beginning of 2009. Throughout the digital certificates these days, the ones issued by VeriSign Class 3 Code Signing 2009 CA and VeriSign Class 3 Code Signing 2009-2 CA last more than 2 years usually. It is certain that software manufacturers are likely to buy the digital certificates which effect longer. However, the deeper-down inside reasons are:
1) Class 3 Public Primary Certification Authority, the root certificate of VeriSign Class 3 Code Signing 2004 CA、 VeriSign Class 3 Code Signing 2009 CA and VeriSign Class 3 Code Signing 2009-2 CA uses not only 1024-bit public key, but also md2 signiture algorithm merely. This is clrealy behind the lastest tendency of the Internet security field. According to the requirement of National Institute of Standards and Technology, USA, the 1024-bit RSA algorithm will be abolished before Dec. 31st, 2010 and all trusted root Certificate Authorities have been informed that they have to move from 1024-bit root certificate to 2048-bit. In addition, they have to remove all 1024-bit root certificate from the trusted root certificate list (Microsoft have not forced this to be executed yet).
PS the timetable of the upgrade of digital certificate algorithm from Mozilla
Dec 31st, 2010: All CAs have to stop issuing user certificate which is less than 2048-bit;
June 30th, 2011: The support of all secondary root cerificate and user certificate which use MD5 algorithm will exist no longer in Mozila.
Dec 31st, 2013: All root certificates which are insecure and less than 2048-bit will be removed by Mozila.
2) According to the above reasons, the price of code signing certificate by VeriSign has been dropped. Renewal and long-term certificate purchase will be more cost-effective.
3) Is it predictable enough to conclude that Symantec will be purchased by another corporation?
2, Since Symantec has aleady purchased the operation of the VeriSign digital certificate, why don't produce a root certificate, named Symantec CA, which used the same private key as Class 3 Public Primary Certification Authority does (Since the private keys are identical, the system will accept it no matter whether it exists in the trusted root certificate authority or not) to sign the new Symantec code digital certificate?