[cryptography] airgaps in CAs

Arshad Noor arshad.noor at strongauth.com
Tue Dec 27 15:20:41 EST 2011

On 12/12/2011 07:47 PM, Peter Gutmann wrote:

> If a TSA timestamps signatures (whose certs have long since expired, so it's
> only the timestamp that's keeping the signature valid), and it's discovered
> that there was a problem one or more years ago (as there has been for some CA
> compromises) then you'd need to issue a backdated revocation in order to catch
> the compromise, since using a revocation date of "now" won't revoke all the
> malware that's been signed/timestamped.  Since backdating the TSA cert
> revocation would potentially brick hundreds of millions of machines when their
> signed device drivers and other binaries fail to validate, you can't afford to
> do it.  The TSA cert is therefore irrevocable (or at least you can't revoke it
> in a manner that makes it effective against signed malware).

A TSA time-stamp on an object merely attests that the object existed
in a given state, at a specific time.  If the TSA's policy allows for
interpreting more into the time-stamp other than what's described above,
then that's a different matter (I could be wrong, but I honestly doubt
that TSAs will accept more liability than what's described above for
their time-stamps).

In the case of signed software, whether the signature includes a TSA's
time-stamp or not, the most assurance an RP should assume from the
signature, is that the software was signed with some private-key that
corresponds to the verifying key, and that the software was not
modified since the signature was affixed.  If the RP (or OS/driver
vendor) finds out that the CA which issued the driver-signing cert was
compromised some months/years ago, the driver vendor would be best
advised to release a patch immediately, with a new signature using a
new certificate from a new CA, a new time-stamp from a TSA, and update
their old driver regardless of the revocation status of the old CA, the
TSA, or the status of their old signing key.  Prudent businesses will
not wait to do so.

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list