[cryptography] How are expired code-signing certs revoked?

William Whyte wwhyte at securityinnovation.com
Wed Dec 7 08:18:38 EST 2011

Cute scenario!

I would say that you shouldn't *install* signed software after the signing
cert expires, but if you installed it before expiry it's still safe to use

In general, you shouldn't act based on a certificate if you don't know
it's trustworthy (obviously), but the action in question here is
installing the software, not running it.



-----Original Message-----
From: cryptography-bounces at randombit.net
[mailto:cryptography-bounces at randombit.net] On Behalf Of Peter Gutmann
Sent: Wednesday, December 07, 2011 7:02 AM
To: cryptography at randombit.net
Subject: [cryptography] How are expired code-signing certs revoked?

Consider the following scenario:

1. Attackers steal a code-signing key and use it to sign malware.
2. The certificate for the stolen key expires.
3. Malware signed with the key turns up.

Since the signature is timestamped to allow it to still validate after the
original cert expires, it'll be regarded as valid.  Since the cert has now
expired, it won't be present in the CRL, or if it was present it'll be
removed (this is standard practice to manage CRL sizes).

How do you invalidate such a signature?

cryptography mailing list
cryptography at randombit.net

More information about the cryptography mailing list