On Wed, 2015-07-22 at 22:40 +0200, Kurt Roeckx wrote: > On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote: > > On Wed, 2015-07-22 at 14:52 +0000, Tim Hollebeek wrote: > > > The way this is supposed to work is by using a timestamp from a > > > trusted timestamp server to show the certificate was valid at the > > > > > > time the code was signed. > > > > That would be great. Unfortunately, if the UEFI firmware were > > suddenly > > to start insisting upon that then a lot of operating systems would > > no > > longer boot. > > Which operating systems would that be? As far as I know Windows 7 > required this if you wanted to have your drivers stay valid for > longer than 2 years and Windows 10 just always requires it. So I > would hope that they actually do this for all of their own > software.
Perhaps they do, although the UEFI bootloader they use is a somewhat different beast. But there are plenty of other OS bootloeders which are signed for so-called "secure boot", other than Microsoft's. And I would be utterly shocked if they all have trusted timestamps, given that the UEFI firmware in all current machines does not require such. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev