Other Resources
Security Developer Center
Cryptography Topics on MSDN
Follow us on Twitter

It is clear that when timestamping is used with authenticode we can extend the validity signature beyond the expiration date of the code signing certificate. What happens after timestamping certificate expiration? Is this extension of the signature validity limited by the validity of the timestamping certificate?

By default, timestamps do not expire with the certificate chain expires.  This can be changed by using the “lifetime signer OID” or setreg.exe for environments that wish to be more locked down. See code signing best practices for details on timestamping.

Code-Signing Best Practices

Can we timestamp kernel-mode components signed using Kernel-Mode Code Signing (KMCS) and SPC (Cross-Certificate) and will this action also extend the validity of the signature?

Timestamping for kernel mode components is encouraged, see the KMCS walkthrough:
Kernel-Mode Code Signing Walkthrough

What type of software they program actually needs to be signed?

In general, the feedback from the developers who program on our platform is that they are concerned that after signature expires, the component will not work.
While it is true that it is not always clear as to which interfaces actually require signatures and which do not, in general best practice is to sign all binaries.  This is what Microsoft does (generally – there are some exceptions, but relatively few).  Specific components will have specific requirements, and guidance is given to developers that specifically target these components.

See Also

Other Languages

This article is also available in the following languages:

Italian (it-IT)