Solution Overviews

Key Usage Models On Secure App Service (SAS)

Issue link: https://resources.digicert.com/i/1010864

Contents of this Issue

Navigation

Page 0 of 2

Key Usage Models on Secure App Service (SAS) DigiCert SAS: an Enterprise, Cloud-Based Signing Service DigiCert Secure App Service (SAS) supports three signing models that are requested by major software and operating system vendors. 1. Unique Keys This can also be referred to as a single-use model. In this model we create a new certificate on the fly for each signature event. This means a file or group of files has a 1-1 relationship between the certificate and the signing event during which the file is submitted for signing. Keys are never at risk of compromise as they are used only once and if revocation is required no other applications are impacted. It is the safest signing method. This model is used for Java signing. 2. On-Demand Keys This can also be referred to as On-Demand Pool model. Keys are retained in a pool and assigned a friendly name for easy identification. When you submit an application for signing you can either choose one of the existing certificates, or create a new one. This model is idea if you need to sign files for usage in Android operating systems (such as applications), since Android expects you to use the same certificate over and over again for each release of an application. You will therefore have a number of signing certificates associated with a signing service. Key Usage Models on Secure App Service (SAS) 1 3. Pool of Rotating keys This model Supports Microsoft Smartscreen Filter reputation model. If you need to sign files for usage in Microsoft Operating Systems (DLL files, EXE files etc.) then Microsoft expects you to cycle through a pool of certificates rather than using the same certificates over and over again for signing. Keys are generated on demand as needed, and must be unique across a set number of days (1, 8, or 15). Once the number of days is reached, the keys are then re-used. Microsoft gives higher levels of reputation to publishers using this model. As a result we implement this for all our Microsoft-based signing services. Which signing model do I need? The models to use depend on the signing service requested but also on your own requirements/policies. For example, the on-demand signing model is often used for Android apps, but it can be used for several other signing services as well.

Articles in this issue

view archives of Solution Overviews - Key Usage Models On Secure App Service (SAS)