Questions on Code signing cert.
Reading about the Stuxnet worm being signed with a valid cert raised some questions. In my environment we issue a sinlge code signing cert to out developers to sign ravious code so it runs seamlessly on our machines. Sicne the cert is issues from out own
PKI its all seamless. What would happen if that cert was compromised and I revoke it. Will this stop code already signed with the now revoked cert from running or simply prompt them to accept? Im thinking what would happen is disgruntled employee signed some
malicious code with the cert, even if the cert is now revoked?
February 24th, 2011 7:24pm
> Will this stop code already signed with the now revoked cert from running or simply prompt them to accept?
this depends. If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation. though it is not possible to sign any new data with revoked certificate. And even someone tries to sign
data with revoked certificate, signature will become invalid.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 1:38am
I understand the first answer. However you say "it is not possible to sign any new data with revoked certificate". Why not? If I have the cert on my PC whats to stop my from using it to sign code even. I could just as easily
sign code with a self signed certficate so whats to stop my using a cert that I have in my possesion, even if its revoked?
February 27th, 2011 6:04pm
> Why not?
because it is revoked and signature check will fail in any way. Therefore it is not necessary to try to sign any data with revoked certificate.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 1:36am
> Why not?
because it is revoked and signature check will fail in any way. Therefore it is not necessary to try to sign any data with revoked certificate.
http://en-us.sysadmins.lv
Are you assumng here that whatever function I am using to sign my code the Certificates CRL is being checked first?
February 28th, 2011 10:33pm
No. I just want to say that this is useless. Technically you can sign data with revoked certificate, however any signature checking function will fail when it attempts to validate signature.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 2:11am
If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation.
Well, that depends. The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid.
March 1st, 2011 4:05am
On Tue, 1 Mar 2011 08:59:27 +0000, Fredrik DXter Jonsson wrote:
If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation.
Well, that depends. The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid.
How exactly would one go about doing this?
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Compatible: Gracefully accepts erroneous data from any source.
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 6:17am
> The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid.
yes. This is correct. Accoriding to RFC 5280 §5.3.2:
The invalidity date is a non-critical CRL entry extension that
provides the date on which it is known or suspected that the private
key was compromised or that the certificate otherwise became invalid.
This date may be earlier than the revocation date in the CRL entry,
which is the date at which the CA processed the revocation. When a
revocation is first posted by a CRL issuer in a CRL, the invalidity
date may precede the date of issue of earlier CRLs, but the
revocation date SHOULD NOT precede the date of issue of earlier CRLs.
Whenever this information is available, CRL issuers are strongly
encouraged to share it with CRL users.
http://en-us.sysadmins.lv
March 1st, 2011 6:49am
How exactly would one go about doing this?
In ADCS: Right click on the certificate in Issued Certificates and choose -> All Tasks -> Revoke Certificate.
That gives you this sceen that allows you to specify revocation reason and revocation date.
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 7:04am
On Tue, 1 Mar 2011 11:57:43 +0000, Fredrik DXter Jonsson wrote:
How exactly would one go about doing this?
In ADCS: Right click on the certificate in Issued Certificates and choose -> All Tasks -> Revoke Certificate.
That gives you this sceen <http://www.ghostzone.net/certificate_revocation.png> that allows you to specify revocation reason and revocation date.
Thanks! I can't believe that the number of times I've been in that UI and
never really noticed the date field. :-)
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Disclaimer: Any errors in spelling, tact, or fact are transmission
errors.
March 1st, 2011 7:16am
Paul, this functionality was added only in Windows Server 2008.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 3:48pm