[cryptography] How are expired code-signing certs revoked?

William Whyte wwhyte at securityinnovation.com
Wed Dec 7 09:42:03 EST 2011

Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.


-----Original Message-----
From: Peter Gutmann [mailto:pgut001 at cs.auckland.ac.nz]
Sent: Wednesday, December 07, 2011 9:21 AM
To: cryptography at randombit.net; pgut001 at cs.auckland.ac.nz;
wwhyte at securityinnovation.com
Subject: RE: [cryptography] How are expired code-signing certs revoked?

William Whyte <wwhyte at securityinnovation.com> writes:

>I would say that you shouldn't *install* signed software after the
>signing cert expires, but if you installed it before expiry it's still
>safe to use it.

That wouldn't work, consider the untold numbers of install CDs shipped
with anything that you could think of conneting to a PC at some point
(your shiny new digital camera, your electric toothbrush, ...).  These are
often extremely out-of-date, but you can't block the install just because
the cert has expired.


More information about the cryptography mailing list