A mighty fortress is our PKI, Part II
Ben Laurie
ben at links.org
Tue Jul 27 17:34:26 EDT 2010
On 24/07/2010 18:55, Peter Gutmann wrote:
> - PKI dogma doesn't even consider availability issues but expects the
> straightforward execution of the condition "problem -> revoke cert". For a
> situation like this, particularly if the cert was used to sign 64-bit
> drivers, I wouldn't have revoked because the global damage caused by that is
> potentially much larger than the relatively small-scale damage caused by the
> malware. So alongside "too big to fail" we now have "too widely-used to
> revoke". Is anyone running x64 Windows with revocation checking enabled and
> drivers signed by the Realtek or JMicron certs?
One way to mitigate this would be to revoke a cert on a date, and only
reject signatures on files you received after that date.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list