[cryptography] How are expired code-signing certs revoked?

Florian Weimer fweimer at bfk.de
Wed Dec 7 11:03:54 EST 2011


* Peter Gutmann:

> William Whyte <wwhyte at securityinnovation.com> writes:
>
>>I would say that you shouldn't *install* signed software after the signing
>>cert expires, but if you installed it before expiry it's still safe to use
>>it.
>
> That wouldn't work, consider the untold numbers of install CDs shipped with
> anything that you could think of conneting to a PC at some point (your shiny
> new digital camera, your electric toothbrush, ...).  These are often extremely
> out-of-date, but you can't block the install just because the cert has
> expired.

Then those code signing certificates cannot be revoked anyway.  The
problem you raised only applies to certificates that can be revoked. 8-)

I think RFC 5280 CAs which do not list expired certificates in CRLs are
simply unsuitable if you try to extend certificate validaty using
timestamp signatures.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the cryptography mailing list