[cryptography] How are expired code-signing certs revoked?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 10 00:15:52 EST 2011

Jon Callas <jon at callas.org> writes:

>If it were hard to get signing certs, then we as a community of developers
>would demonize the practice as having to get a license to code.

WHQL is a good analogy for the situations with certificates, it has to be made
inclusive enough that people aren't unfairly excluded, but exclusive enough
that it provides a guarantee of quality.  Pick any one of those two.

(I have a much longer analysis of this, a bit too much to post here, but
there's a long history of vendors gaming WHQL and the certifiers looking the
other way, just as there is with browser vendors looking the other way when a
CA screws up, although in the case of hardware vendors the action is
deliberate rather than accidental).


More information about the cryptography mailing list