On Dec 7, 2011, at 11:31 23AM, Jon Callas wrote: > > > But really, I think that code signing is a great thing, it's just being done > wrong because some people seem to think that spooky action at a distance > works with bits.
The question at hand is this: what is the meaning of expiration or revocation of a code-signing certificate? That I can't sign new code? That only affects the good guys. That I can't install code that was really signed before the operative date? How can I tell when it was actually signed? That I can't rely on it after the specified date? That would require continual resigning of code. That seems to be the best answer, but the practical difficulties are immense. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography