Jason Barr wrote:
> Hi All > > Can someone let me know if the following statement is true for signtool: > > 'Although certificates expire, valid signatures do not. > Signature validation is based on the date of the signature rather than > the time verification occurs. > If a certificate chain was valid at signing, Communicator will continue > to recognize that signature even after certificates in that chain > expire. > This would not be true, however, if an object was signed using the -z > option which omits the original timestamp and forces validation to rely > on the current status of the certificate chain.' I'm not familiar with the -z option, but the rest is correct. expiration of certs in the chain to not invalidate 'previously' signed objects. > > It most definitely applies to MS's Authenticode 'technology', but the > official line I have been fed is that Netscape does not validate the > timestamp in any way, so when a user downloads signed code on a date > after the expiration of the cert he/she will be presented with an error > saying the signature has expired, and therefore they should be careful > when deciding whether or not to trust it... Netscape validates signatures based on when the object was signed, not the current date. This is true from S/MIME messages as well. If the object was signed after the certificate was expired, then the signature would not be considered valid. There has been lots of debates about this with-in Netscape because the timestamp is not authenticated. Once you have a certificate, it's possible to continue to create valid signed objects by back dating. Placing this against the issue that you don't want software to simply stop working because it was signed by a certificate 2 years ago that has now expired (this was even a bigger issue with Communicator, where the Java classes are signed. You didn't want the application itself to stop working after the certificate expired). The debate on this semantic will probably continue until we have a cheap reliable authority to verify timestamps. > > Any info. is appreciated. : ) > -- > Jason > >
