[cryptography] How are expired code-signing certs revoked?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Dec 7 22:28:36 EST 2011


Marshall Clow <mclow.lists at gmail.com> writes:

>This is only true if signing the malware is an expensive (in some terms) 
>proposition. It's certainly not expensive in terms of computing power.

The rate-limiting factor is how many certs you can steal, and how quickly.  The 
technology side doesn't even come into it.  So this is a valid measure, and 
will continue to be so, because you can't speed up the cert-stealing process.

It's the same with monetary fraud, the rate-limiting step there is how fast 
you can cash out the accounts.  Sure, your botnet has collected 50M accounts 
and associated authorisation information, but how fast can you cash them out?

Velocity limiting via computationally intractable means is one security 
measure that is universally effective and hard to bypass.

Peter.



More information about the cryptography mailing list