Cute scenario! I would say that you shouldn't *install* signed software after the signing cert expires, but if you installed it before expiry it's still safe to use it.
In general, you shouldn't act based on a certificate if you don't know it's trustworthy (obviously), but the action in question here is installing the software, not running it. Cheers, William -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter Gutmann Sent: Wednesday, December 07, 2011 7:02 AM To: [email protected] Subject: [cryptography] How are expired code-signing certs revoked? Consider the following scenario: 1. Attackers steal a code-signing key and use it to sign malware. 2. The certificate for the stolen key expires. 3. Malware signed with the key turns up. Since the signature is timestamped to allow it to still validate after the original cert expires, it'll be regarded as valid. Since the cert has now expired, it won't be present in the CRL, or if it was present it'll be removed (this is standard practice to manage CRL sizes). How do you invalidate such a signature? Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
