|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Wed, 28 Jul 2010 11:34:14 +0100 From: Ben Laurie <ben@links.org> To: Paul Tiemann <paul.tiemann.usenet@gmail.com> CC: cryptography@metzdowd.com In-Reply-To: <FC01C318-0475-4734-B445-5243704E5F5E@gmail.com> On 28/07/2010 00:14, Paul Tiemann wrote: > On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote: > >> On 24/07/2010 18:55, Peter Gutmann wrote: >>> - PKI dogma doesn't even consider availability issues but expects the >>> straightforward execution of the condition "problem -> revoke cert". For a >>> situation like this, particularly if the cert was used to sign 64-bit >>> drivers, I wouldn't have revoked because the global damage caused by that is >>> potentially much larger than the relatively small-scale damage caused by the >>> malware. So alongside "too big to fail" we now have "too widely-used to >>> revoke". Is anyone running x64 Windows with revocation checking enabled and >>> drivers signed by the Realtek or JMicron certs? >> >> One way to mitigate this would be to revoke a cert on a date, and only >> reject signatures on files you received after that date. > > I like that idea, as long as a verifiable timestamp is included. > > Without a trusted timestamp, would the bad guy be able to backdate the signature? Note that I avoided this issue by using the date of receipt. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |