[cryptography] How are expired code-signing certs revoked?

lodewijk andré de la porte lodewijkadlp at gmail.com
Wed Dec 7 20:13:50 EST 2011

I'm afraid signing software is multiple levels of bullocks. Imagine a user
just clicking yes when something states "Unsigned software, do you really
want to install?". Imagine someone working at either a software or a
signing company. Imagine someone owning a little bitty software company
that's perfectly legitimate and also uses the key to sign some of his

Software signing isn't usable for regular end users, experienced users
already have hashes to establish integrity up to a certain level, guru's
and security professionals compile from source instead of trusting some
binary. And yes that does exclude hidden-source software, it's the only
sensible thing to do if you don't want trust but real security!


2011/12/7 Jon Callas <jon at callas.org>

> On 7 Dec, 2011, at 11:34 AM, ianG wrote:
> >
> > Right, but it's getting closer to the truth.  Here is the missing link.
> >
> > Revocation's purpose is one and only one thing:  to backstop the
> liability to the CA.
> I understand what you're saying, but I don't agree.
> CAs have always punted liability. At one point, SSL certs came with a huge
> disclaimer in them in ASCII disclaiming all liability. Any CA that accepts
> liability is daft. I mean -- why would you do that? Every software license
> in the world has a liability statement in it that essentially says they
> don't even guarantee that the software contains either ones or zeroes. Why
> would certificates be any different?
> I don't think it really exists, not the way it gets thrown around as a
> term. Liability is a just a bogeyman -- don't go into the woods alone at
> night, because the liability will get you!
>        Jon
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20111208/185f1829/attachment.html>

More information about the cryptography mailing list