[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Sun Dec 18 16:04:59 EST 2011


On Dec 18, 2011, at 10:19 AM, M.R. wrote:

> On 2011-12-07 16:31, Jon Callas wrote:
>> There are many things about code signing that I don't think I understand.
> 
> same here.
> 
> But I do understand something about the code creation, dissemination
> and the trust between code creator and code user ("primary parties"),
> and the role of the operating system vendor (a "tertiary party") as
> an intermediary between the code creator and the code user.
> 
> With that said, I propose that "code signing" and then enforcing some
> kind of "use sanctioning" protocol by the operating system vendor is
> an idiotic idea, and fortunately one that has been proven as completely
> impractical and ill-aligned with the interest of the two primary parties, and thus continually rejected in practice.
> 
> What should be "signed" and "tusted" (or not trusted) is not the code,
> but the channel by which the code is distributed.

Which is precisely what can't be done, in the general case.

It's really, really, doable in the singular case. If the channel signs the code (which is what Apple does on the App Store), then sure, Alice is your auntie. 

But when developer D has code they sign *themselves* with a cert given from signatory S, and delivered to marketplace M, you end up with some sort of DSM-defined insanity. There's no responsibility anywhere. The worst, though, is to go to the signer and say, "This is another fine mess you've gotten me into, Stanley."

	Jon


More information about the cryptography mailing list