Signing your applications with an OV code signing certificate enables them to build reputation together in Microsoft SmartScreen, rather than each binary building reputation separately. This allows developers to publish updated binaries without having to re-build reputation from scratch.
When you renew an OV certificate reputation does not transfer from one certificate to the next, which makes sense as there are several ways to get a code signing certificate with the same subject as someone else. I wouldn't want someone to be able to legally change their name, get a certificate with the subject CN=Jonathon Penn, O=Jonathon Penn, S=Arkansas, C=US, and inherit the reputation I have built.
It seems to me that Microsoft is only using OV certificates to ensure "all of these binaries were made by the same person/organization". It seems like this could be done with self-signed certificates. Is there any technical or security reason why Microsoft might have chosen to require certificates to chain to a trusted CA?
Note: I realize the rules are different for EV certificates. I am not asking about that.
