Hi All Can someone let me know if the following statement is true for signtool:
'Although certificates expire, valid signatures do not. Signature validation is based on the date of the signature rather than the time verification occurs. If a certificate chain was valid at signing, Communicator will continue to recognize that signature even after certificates in that chain expire. This would not be true, however, if an object was signed using the -z option which omits the original timestamp and forces validation to rely on the current status of the certificate chain.' It most definitely applies to MS's Authenticode 'technology', but the official line I have been fed is that Netscape does not validate the timestamp in any way, so when a user downloads signed code on a date after the expiration of the cert he/she will be presented with an error saying the signature has expired, and therefore they should be careful when deciding whether or not to trust it... Any info. is appreciated. : ) -- Jason
