[Cryptography] HP accidentally signs malware, will revoke certificate

ianG iang at iang.org
Sat Oct 11 11:18:45 EDT 2014

On 11/10/2014 03:11 am, dan at geer.org wrote:
> [ public case study now in progress ]

indeed, and we need more of them ;-)

> HP accidentally signs malware, will revoke certificate
> (Ars:) http://arstechnica.com/security/2014/10/hp-accidentally-signed-malwa=
> re-will-revoke-certificate/
>     Regardless of the cause, the revocation of the affected certificate
>     will require HP to re-issue a large number of software packages with a
>     new digital signature. While the certificate drop may not affect
>     systems with the software already installed, users will be alerted to
>     a bad certificate if they attempt to re-install software from original
>     media. The full impact of the certificate revocation won't be known
>     until after Verisign revokes the certificate on October 21, Wahlin
>     said.

That's um amazing.  So a 4 year old expired cert is still a critical
piece of infrastructure, and they are still going to revoke it.  Rather
finishes the argument of whether revocation means anything different
than expiry...  More on Krebs.


Revocation as a system only works if it is reasonable to roll out a new
cert, and this works as long as the scale is small.  It looks like
code-signing can escape that assumption, making one userland cert as
powerful as .. a root cert!

Revocation was always a safety blanket, cute for users but not for
serious applications, so this must be causing some headaches in the risk


ps; HP's comment that they weren't breached is laughable.

More information about the cryptography mailing list