>> What matters is not the certificate. The certificate is public. >> You can’t “steal" a certificate. >> >> What you *can* steal is the private key associated with a >> certificate, and the more time goes by the more likely it becomes >> that someone has done so. >> >> However, the expiration date is completely arbitrary. There’s >> nothing magic that happens on the expiration date that makes a cert >> significantly less secure the day after it expires than it was the >> day before > > In principal, I think it does. > > The CA's responsibility (warranty) ends when the certificate expires. > Once the certificate is expired it will not be added to a CRL, so it > could not be revoked. In fact, if it was revoked, then it will be > removed from the CRL.
Your point has relevance when discussing server certificates. If the certificate expired yesterday then be cautious, but it's likely that someone just missed the renewal notice. If it expired three years ago then be far more cautious as the site itself is more likely to be unmaintained, unpatched, breached and owned. But in this case we're discussing a code-signing certificate, and the code is still as good as it was on the day it was signed by a valid certificate. Sure, the code may be getting a little old, but that doesn't necessarily mean that it's no longer good. It's a bit like an expired government ID with a date or birth on it. Sure, that driver's license can't be used to prove I should be allowed to drive a car, but if I was 21 ten years ago when the license was valid then it still proves I'm of legal age to purchase alcohol now. J _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
