You may already have an idea of what a code signing certificate is and why organizations must use it. Essentially, it is used for providing assurance to users that the software or application is coming from a genuine and trusted source. It gives them the surety that the software hasn’t been modified or exploited by software vulnerabilities.
Securing software with code signing ensures that no unauthorized person can access or perform malicious actions, making it safe for download, install, and use. However, software developers and publishing firms are often in a dilemma to choose between two levels of code signing validation.
They have a choice to go for Organization Validation (OV) or Extended Validation (EV) levels for code signing certificates. So, what are these OV vs EV and what are the differences to buy one? Let’s get you an answer:
Table of Contents
Standard or Organization Validation is where a Certificate Authority (CA) verifies your organization’s legitimacy. Legally registered companies with up-to-date records can get the validation done swiftly. The only thing you need to make sure of is to keep your registration information accurate, which should be reflected during the verification.
The OV Code Signing Certificate will bear the name of the organization or the individual who applied to a renowned CA or their trusted distributor. Here, the CA, for instance, Sectigo will validate your organization from online government data and your official website to check for your registration status.
The details in the government records should match with the one you have provided so that the CAs can issue a code signing certificate. OV code signing certificates are generally preferred by independent software developers or contributors who wish to boost user confidence in their digital products.
Extended Validation (EV) goes one step further in offering the maximum trust and confidence in your software products to users. Here, CAs follow the guidelines set by the CA/Browser forums that make it mandatory for them to verify each code signing request with extra documentation.
First, the EV Code Signing Certificate is only issued to registered businesses and organizations, not individuals. The validation process entails extensive vetting and a hardware security requirement for storing sensitive keys to limit unauthorized use.
Software and application signed with an EV code signing certificate gain an automatic trusted status from the Windows Defender SmartScreen® Reputation filter. Thus, users will see reduced alerts and warning messages that instill trust in your digital products.
|OV Code Signing Certificates||EV Code Signing Certificates|
|In OV, the software reputation is built organically with the increase in download rate. So, no instant Microsoft SmartScreen reputation.||Software with EV gets instant recognition and reputation with Microsoft SmartScreen. The users here won’t see unknown publisher warnings.|
|The certificate is provided and stored in a computer. It’s an encrypted file that can be copied and transferred to another computer for signing executables.||Signing executables with EV requires Two-Factor Authentication. The USB drive used for transferring must contain an encrypted token & private key for signing.|
|Used for signing the drivers of legacy Windows versions (Older than Windows 10).||EV level is required for signing Windows 10 kernel- and user-mode drivers.|
|It takes about 1 to 3 days for certificate issuance.||CA can take up to 5 business days for validation.|
|Both OV and EV code signing certificates are valid on all the major platforms and popular web browsers.|
Let’s glance over the differences thoroughly to choose the best code signing certificate:
As per Microsoft’s Driver Signing Policy, the OV certificate cannot be used for signing Windows 10 Kernel-mode Drivers. Thus, it can only be used for signing drivers of legacy Windows versions that came before Windows 10.
Microsoft requires the EV certificate for organizations involved in the Windows 10 Kernel mode as well as User-mode Driver development. They need to get it signed by Microsoft’s dev portal along with an EV certificate to establish a Dev Center dashboard account.
Thus, EV is your best bet if you develop drivers for Windows 10 or later.
As reported by Microsoft, SmartScreen Reputation will check for the files downloaded by users against a list of other well-known files downloaded by other people. If the file is on that list, Windows will warn you against using it.
However, software code signed with EV helps developers skip this step altogether. It offers an immediate reputation with Microsoft SmartScreen. Thus, users won’t get any warning messages.
But in the case of OV code signing certificates, organizations have to build a reputation organically with users downloading and installing your software. The users will get an alert until the software’s reputation reaches enough level of popularity for SmartScreen to view it as “Well Known”.
Thus, the EV code signing certificate is better in this aspect too.
As mentioned, an EV certificate goes a step further in security with Two-Factor Authentication. The certificate is transferred with an encrypted USB hardware token and should be attached to the computer before signing the software.
In the case of OV, the certificates are stored as a file on your computer and can be copied to sign software on another computer.
Both individuals and organizations can apply for an OV code signing certificate for their software. If issued to individuals, it can be referred to as an Individual Validation.
EV certificates, on the other hand, are only issued to large organizations, NGOs, government software, and other businesses. Since it involves extensive verification and vetting, it’s not directly issued to individuals. However, it can be issued to sole proprietorship businesses.
Both OV and EV are the best code signing certificates and are supported on major platforms such as
- Microsoft Authenticode
- Microsoft VBA (Visual Basic for Applications)
- Adobe AIR
Now that we have seen an extensive comparison of both OV vs EV, organizations that want to boost trust and confidence in users should use EV. It’s one of the best code signing certificates with extensive vetting for businesses to ensure users about the authenticity of the software.
However, if you are an individual that seeks to boost trust in your software, you can go for an OV code signing certificate. But if you are a large organization, the EV code signing certificate is the best-suited one.