[cryptography] How are expired code-signing certs revoked?

Steven Bellovin smb at cs.columbia.edu
Wed Dec 7 11:52:18 EST 2011

On Dec 7, 2011, at 11:31 23AM, Jon Callas wrote:
> But really, I think that code signing is a great thing, it's just being done wrong because some people seem to think that spooky action at a distance works with bits.

The question at hand is this: what is the meaning of expiration or revocation
of a code-signing certificate?  That I can't sign new code?  That only affects
the good guys.  That I can't install code that was really signed before the
operative date?  How can I tell when it was actually signed?  That I can't
rely on it after the specified date?  That would require continual resigning
of code.  That seems to be the best answer, but the practical difficulties
are immense.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list