On Dec 7, 2011, at 11:31 23AM, Jon Callas wrote:
>
>
> But really, I think that code signing is a great thing, it's just being done
> wrong because some people seem to think that spooky action at a distance
> works with bits.
The question at hand is this: what is the meaning of expiration or revocation
of a code-signing certificate? That I can't sign new code? That only affects
the good guys. That I can't install code that was really signed before the
operative date? How can I tell when it was actually signed? That I can't
rely on it after the specified date? That would require continual resigning
of code. That seems to be the best answer, but the practical difficulties
are immense.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
