[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Fri Dec 9 15:46:18 EST 2011


On 8 Dec, 2011, at 8:27 PM, Peter Gutmann wrote:

> In any case getting signing certs really isn't hard at all.  I once managed it 
> in under a minute (knowing which Google search term to enter to find caches of 
> Zeus stolen keys helps :-).  That's as an outsider, if you're working inside 
> the malware ecosystem you'd probably get them in bulk from whoever's dealing 
> in them (single botnets have been reported with thousands of stolen keys and 
> certs in their data stores, so it's not like the bad guys are going to run out 
> of them in a hurry).
> 
> Unlike credit cards and bank accounts and whatnot we don't have price figures 
> for stolen certs, but I suspect it's not that much.

If it were hard to get signing certs, then we as a community of developers would demonize the practice as having to get a license to code.

	Jon




More information about the cryptography mailing list