Three Validation Tiers of Code Signing Certificates
All code signing certificates work the same way: a private key is used to sign a hash of the provided executable, and the corresponding public key (which is embedded in the certificate) allows others to verify that signature. The difference between the three certificates lies in how thoroughly the Certificate Authority (CA) verifies the identity of the entity that holds the key.
Individual Validation (IV)
The lowest level of code signing validation is Individual Validation. IV certificates are issued to a named person rather than to a registered business or another type of entity. The CA typically verifies the applicant’s identity via government-issued photo ID, but doesn’t check for organisational registration.
IV certification is a good fit for:
Sole developers publishing software under their own name
Open source maintainers who wish to sign releases with their own personal identity
Validation requirements usually stop at the requirement to provide a government-issued photo ID.
Organisation Validation (OV)
Organisation Validation (OV) certificates are issued to registered businesses or legal entities. In this case, the CA checks that the organisation in question is a registered entity, confirms its address, and verifies that the person requesting the certificate is authorised to act on the entity’s behalf.
The signed binary shows the organisation’s verified name, giving end users a clear, accountable identity to evaluate.
OV certificates are a good choice for:
Software companies
Independent software vendors (ISVs)
IT teams looking to sign internal tooling
Entities looking to sign code in a way that displays their verified organisation name
Validation requirements include business registration documents, organisation-level address verification, and an authorisation check for the applicant.
Extended Validation (EV)
Extended Validation (EV) certificates undergo a rigorous identity check that goes well beyond that of OV or IV certificates. In this case, the Certificate Authority verifies the legal existence, physical address, and operational status of the entity seeking the certification, as well as the applicant's authority. This process can take several days from start to finish.
Strict validation requirements, however, come with important practical advantages for the holder of the EV certificate.
- Faster SmartScreen reputation build-up, whereas it may take longer for non-EV certificates to accumulate download history and earn a positive reputation.
- Ability to sign kernel-level code (e.g. drivers, security software, etc.).
Validation requirements include a full legal, operational, and presence verification of the entity. This is a multi-day process.
| IV | OV | EV | |
|---|---|---|---|
| Receiving entity | Named individual | Registered organisation | Registered organisation |
| Validation | Photo ID | Business registration, authorisation | Full legal, operational, and physical |
| Signature shows | Individual’s name | Organisation name | Organisation name |
| SmartScreen status | Reputation takes time | Reputation takes time | Reputation takes time |
| Kernel-mode signing | No | No | Yes |
| Hardware key | Required | Required | Required |
| Issuance speed | 1-3 days | 1-3 days | 3-5 days |
To Summarize
IV, OV, and EV certificates all provide valid cryptographic signatures, with the differences among them reduced to the requesting entity’s level of verification. Feature-wise, EV-level certification offers the most comprehensive set of features and authority, but at the cost of the most in-depth verification; solo developers are likely to be perfectly fine with lower-level IV certification.