Description of digital certificates for Visio 2002 and for Visio 2003 (297142)


The information in this article applies to:

  • Microsoft Office Visio Standard 2003
  • Microsoft Office Visio Professional 2003
  • Microsoft Visio 2002 Standard
  • Microsoft Visio 2002 Professional
This article was previously published under Q297142

SUMMARY

This article is a general overview of digital certificates and how they relate to digitally signed Visio macros, signed programs, and Microsoft ActiveX controls. This article answers the following questions:
  • What is a digital certificate?
  • What is a signature? Why do we need them?
  • What happens with each security level?
  • How can I get a signature?

MORE INFORMATION

What Is a Digital Certificate?

Digital signatures and certificates of authenticity can be applied to executable programs, ActiveX controls, or Visual Basic for Applications macros. These signatures provide you with the assurance that what you are about to use comes from a reliable source and that it has not been tampered with. Digital certificates help to prevent macro viruses from being introduced into your Visio drawings, your computer, and your local network.

A digital certificate is an identification (ID) that is carried with a file. To validate a signature, a certifying authority validates information about the software developers and then issues them digital certificates. The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it. When a digital certificate is used to sign programs, ActiveX controls, and Visual Basic for Applications (VBA) macros projects, this ID is stored with the signed item in a secure and verifiable form so that it can be displayed to a user to establish a trust relationship.

What Is a Signature? Why Do We Need Them?

Microsoft Visio has introduced digital signatures to help users distinguish legitimate code from undesirable and potentially damaging code. If you open an Visio drawing or template and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros also created them. You can choose to trust all macros signed by this person by clicking to select the Trust all macros from this source check box. From then on, Visio enables the macros without showing a security warning for any documents containing macros signed by this trusted source.

A digital signature is the public certificate plus the value of the signed data encrypted by a private key. The value is a number generated by a cryptographic algorithm for any data that you want to sign. This algorithm makes it nearly impossible to change the data without changing the resulting value. So, by encrypting the value instead of the data, a digital signature allows the end user to verify the data was not changed.

What Happens with Each Security Level?

To take advantage of the benefits of digital signatures for macros, Visio introduces security levels similar to other Office products. To set the security level, point to Macro on the Tools menu, and then click Security. These security levels are outlined in the following table. 
   Level       Action
   -------------------------------------------------

   Low         Turns off all macro security
               warnings in Office programs.

   Medium      User prompted to enable or disable 
               the macros on a file-by-file basis.
               Medium is the default level in Visio.

   High        Only allows signed and trusted 
               code to run.
When you open a file with macros under medium security, a security warning offers you a choice between enabling or disabling macros. The dialog box has digital signature information, if it is available for the file being opened. This security level allows existing Visio 2000 VBA solutions, which are not yet signed, to be enabled. Once a user chooses to trust all macros from a source, Visio on medium security will automatically enable signed macros from that trusted source.

Under high security, Visio silently disables unsigned macros. This helps avoid accidental enabling of potentially dangerous macros. Under high security, a security warning is shown for digitally signed macros that have not been previously added to the Trusted Sources list. This allows you the opportunity to inspect the digital certificate, and if you choose to trust all macros from the source, click Enable Macros. The Enable Macros button is unavailable until you click to select the Always trust macros from this source check box.

Low security is useful if you have installed the latest version of a virus scanner and the most current virus signature files for that program and you feel confident this virus scanner will detect all viruses.

Note Microsoft recommends using antivirus software that is certified by ICSA, Inc. ICSA is completely independent and shares vital security information with security product manufacturers, developers, security experts, academia, and corporations. For more information, refer to the ICSA Certified Anti-Virus Products Web site at:

https://newlabs.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk

For additional information about security levels, click the following article number to view the article in the Microsoft Knowledge Base:

297136 "The macros in the project are disabled" error message when you run a macro in Visio 2002

How Can I Get a Signature?

To obtain a digital signature, first, you need to get a digital certificate. One option is to get a fully certified certificate from a certificate authority. Both individuals and commercial entities can obtain a commercially authenticated certificate for their code. To learn about the application process and requirements, see Introduction to Code Signing at the Microsoft Authenticode Web site. A list of Certificate Authorities is provided at the following Microsoft Web site:

http://msdn.microsoft.com/workshop/security/authcode/intro_authenticode.asp

A Certificate Authority can issue you a digital certificate for code signing for a fee. The Certificate Authority will do an in-depth identification check before issuing a digital certificate for signing code. Be sure to get a digital certificate that can sign code with Microsoft Authenticode (Verisign calls this Class 2 or 3; Thawte calls this Developer Certificates), rather than one that can only sign e-mail. If you try to use a digital certificate that is not authorized to sign code, Visio warns that the digital certificate is not trustworthy.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Modification Type:MinorLast Reviewed:10/11/2006
Keywords:kbdigitalsignatures kbdigitalcertificates kbAutomation kbdtacode kbhowto kbinfo KB297142
©2004 Microsoft Corporation. All rights reserved.