[cryptography] How are expired code-signing certs revoked?
jon at callas.org
Wed Dec 7 17:55:09 EST 2011
On 7 Dec, 2011, at 11:34 AM, ianG wrote:
> Right, but it's getting closer to the truth. Here is the missing link.
> Revocation's purpose is one and only one thing: to backstop the liability to the CA.
I understand what you're saying, but I don't agree.
CAs have always punted liability. At one point, SSL certs came with a huge disclaimer in them in ASCII disclaiming all liability. Any CA that accepts liability is daft. I mean -- why would you do that? Every software license in the world has a liability statement in it that essentially says they don't even guarantee that the software contains either ones or zeroes. Why would certificates be any different?
I don't think it really exists, not the way it gets thrown around as a term. Liability is a just a bogeyman -- don't go into the woods alone at night, because the liability will get you!
More information about the cryptography