Hello I am planning to deploy digitally signed programs. I have studied the basics, and understand them. There are however some questions related to time stamping and validity period i cannot understand. Possible scenario: I have a code signing certificate, which has been set valid from 1.1.2011 to 31.12.2011. Question 1: If on 31.12.2011 i change the computer date back to 1.6.2011, how does the certificate know what date today really is? Is internet connection always required when signing programs with this certificate, so it can check online for the real date, even if i do not timestamp the signed programs? Question 2: If i do not timestamp a digitally signed program, is anykind of other date information stored into the signature? That would show when the program was signed, eventhough not officially timestamped. Question 3: Can you digitally sign a program with an expired certificate? Is the system designed to completely prevent that, or does it just show a warning message? Question 4: The following scenario takes place: - The end-user running a digitally signed program is always offline from internet. - His computer clock is set to year 2005. - The digitally signed program was signed on 1.5.2011 and not timestamped. - The CA certificate used to sign the program has expired, because today is 1.3.2012 Will the end-user get a warning message when running the digitally signed program, and if he does, why that happens? Thanks for all the help!

Can anybody help me with any of the questions?

> how does the certificate know what date today really is? system uses local time source (system date and time). > Is internet connection always required when signing programs with this certificate, so it can check online for the real date, even if i do not timestamp the signed programs? internet connection can be used for chaingin engine purposes (download required certificates and CRLs) and not to determine actual date and time (out of win32time service). > If i do not timestamp a digitally signed program, is anykind of other date information stored into the signature? That would show when the program was signed, eventhough not officially timestamped. no. Such information (signature creation time) is not stored in the signature. This information is stored in the timestamp. > Can you digitally sign a program with an expired certificate? Is the system designed to completely prevent that, or does it just show a warning message? by using regular tools — no. However you can invoke low-level APIs to sign a file with expired signing certificate. But this is useless, because standard signature validation tools will fail validation. > Will the end-user get a warning message when running the digitally signed program, and if he does, why that happens? if a signing (and all certificates in the chain) certificate was valid at the specified date (2005 year), now warnings will be displayed. As I said, information about signing time is stored only in the timestamp. If timestamp is not available (file has simple signature) client check whether signing certificate is valid for current date and time. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.c

Hello and thanks for your reply Wouldn't an exploit then be possible? Example: Somebody has a code signing certificate valid for 1 year (1.1.2011 - 31.12.2011). After this period he changes the system clock always back to 1.1.2011, and keeps signing more programs. The certificate does not know what date today really is, and thinks everyting is ok. He then gives the program to another user, and when running the program it says everything is ok. How can this be prevented?

there is no any exploit and/or vulnerability issue. This is because when he gives the program to another user, user's computer will have actual date and time. Therefore if signature is not timestamped and signing certificate is expired (based on system date and time) as the result signature will become invalid.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks, now i understand. This is why it is important to timestamp the program. Even after the validity period expires, it will show the digitally signed program is ok, if it was signed and timestamped during a valid period. Without the timestamp the signed program will become untrusted after validity period expires.

exactly.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com