* Peter Gutmann: > William Whyte <[email protected]> writes: > >>I would say that you shouldn't *install* signed software after the signing >>cert expires, but if you installed it before expiry it's still safe to use >>it. > > That wouldn't work, consider the untold numbers of install CDs shipped with > anything that you could think of conneting to a PC at some point (your shiny > new digital camera, your electric toothbrush, ...). These are often extremely > out-of-date, but you can't block the install just because the cert has > expired.
Then those code signing certificates cannot be revoked anyway. The problem you raised only applies to certificates that can be revoked. 8-) I think RFC 5280 CAs which do not list expired certificates in CRLs are simply unsuitable if you try to extend certificate validaty using timestamp signatures. -- Florian Weimer <[email protected]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
