[cryptography] How are expired code-signing certs revoked?

Randall Webmail rvh40 at insightbb.com
Fri Dec 9 17:41:04 EST 2011


From: "Nico Williams" <nico at cryptonector.com>

> What should matter is that malware should not be able to gain control
of the device or other user/app data on that device, and, perhaps,
that the user not even get a chance to install said malware, not
because the malware's signatures don't chain up to a trusted CA but
because the "app store" doesn't publish it and the user uses only
trusted app stores.  Neither of the last two is easy to ensure though

And yet we see things like someone (apparently) sneakernetting a thumb-drive from an infected Internet Cafe to the SIPR network: <http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html>

If the USG can't even keep thumb drives off of SIPR, isn't the whole game doomed to failure?   (What genius thought it would be a good idea to put USB ports on SIPR-connected boxes, anyway?)



More information about the cryptography mailing list