[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Wed Dec 7 17:55:09 EST 2011


On 7 Dec, 2011, at 11:34 AM, ianG wrote:

> 
> Right, but it's getting closer to the truth.  Here is the missing link.
> 
> Revocation's purpose is one and only one thing:  to backstop the liability to the CA.

I understand what you're saying, but I don't agree.

CAs have always punted liability. At one point, SSL certs came with a huge disclaimer in them in ASCII disclaiming all liability. Any CA that accepts liability is daft. I mean -- why would you do that? Every software license in the world has a liability statement in it that essentially says they don't even guarantee that the software contains either ones or zeroes. Why would certificates be any different?

I don't think it really exists, not the way it gets thrown around as a term. Liability is a just a bogeyman -- don't go into the woods alone at night, because the liability will get you!

	Jon




More information about the cryptography mailing list