[145414] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Paul Tiemann)
Tue Jul 27 19:39:29 2010
From: Paul Tiemann <paul.tiemann.usenet@gmail.com>
In-Reply-To: <4C4F50E2.4020201@links.org>
Date: Tue, 27 Jul 2010 17:14:06 -0600
Cc: cryptography@metzdowd.com
To: Ben Laurie <ben@links.org>
On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote:
> On 24/07/2010 18:55, Peter Gutmann wrote:
>> - PKI dogma doesn't even consider availability issues but expects the
>> straightforward execution of the condition "problem -> revoke cert". =
For a
>> situation like this, particularly if the cert was used to sign =
64-bit
>> drivers, I wouldn't have revoked because the global damage caused by =
that is
>> potentially much larger than the relatively small-scale damage =
caused by the
>> malware. So alongside "too big to fail" we now have "too =
widely-used to
>> revoke". Is anyone running x64 Windows with revocation checking =
enabled and
>> drivers signed by the Realtek or JMicron certs?
>=20
> One way to mitigate this would be to revoke a cert on a date, and only
> reject signatures on files you received after that date.
I like that idea, as long as a verifiable timestamp is included.
Without a trusted timestamp, would the bad guy be able to backdate the =
signature?
Paul Tiemann
(DigiCert)=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
