The settings you specify in this screen
will affect the action IWSVA takes on all Windows cabinet files and PE
COM objects (of which Active controls are a subtype). For example, if
you configure IWSVA to check the signing certificate's expiration date,
then for all certificates that are expired, IWSVA also takes the action
specified for an invalid signature in the ActiveX
Security Rules page. SHOW ME>>
Check
the expiration of signing certificate—If the signing certificate
is expired the signature is considered invalid. IWSVA takes the action
configured for invalid certificates.
Check
the expiration of all certificates in the chain—If any certificate
in the signing chain (including the root, but not the signing certificate)
has expired, then the signature is considered invalid. IWSVA takes the
action configured for invalid certificates.
If
the signature has a timestamp countersignature—Some files have
timestamp "countersignatures.” These are used to extend the validity
of a signature beyond the expiration dates on the certificates in its
signature chain.
Use timestamp when a certificate is expired—If
certificate expiration is being checked and one (or more) are found to
be expired, validate the timestamp signature and use it if it turns out
to be valid. Note that timestamp signatures are validated in exactly the
same way (and under the same IWSVA settings) as the file signatures are.
Timestamp countersignatures do not expire—Do
not check the expiration of certificates in the timestamp signature. For
timestamp countersignatures this is considered normal (only revocation
– and the time of revocation – matters).
Check
the revocation status of the certificate—If a certificate has a
status of "revoked," IWSVA considers the signature invalid.
If IWSVA cannot determine the status, you can have it reset the status
to either Valid or Invalid. Note that a revocation source must be designated
in a certificate, or in one of the certificates in its signing chain,
before a revocation check can be attempted.
