[cryptography] How are expired code-signing certs revoked?

M.R. makrober at gmail.com
Sun Dec 18 13:19:27 EST 2011

On 2011-12-07 16:31, Jon Callas wrote:
> There are many things about code signing that I don't think I understand.

same here.

But I do understand something about the code creation, dissemination
and the trust between code creator and code user ("primary parties"),
and the role of the operating system vendor (a "tertiary party") as
an intermediary between the code creator and the code user.

With that said, I propose that "code signing" and then enforcing some
kind of "use sanctioning" protocol by the operating system vendor is
an idiotic idea, and fortunately one that has been proven as completely
impractical and ill-aligned with the interest of the two primary 
parties, and thus continually rejected in practice.

What should be "signed" and "tusted" (or not trusted) is not the code,
but the channel by which the code is distributed.

Mark R.

More information about the cryptography mailing list