Reading about the Stuxnet worm being signed with a valid cert raised some questions. In my environment we issue a sinlge code signing cert to out developers to sign ravious code so it runs seamlessly on our machines. Sicne the cert is issues from out own PKI its all seamless. What would happen if that cert was compromised and I revoke it. Will this stop code already signed with the now revoked cert from running or simply prompt them to accept? Im thinking what would happen is disgruntled employee signed some malicious code with the cert, even if the cert is now revoked?

> Will this stop code already signed with the now revoked cert from running or simply prompt them to accept? this depends. If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation. though it is not possible to sign any new data with revoked certificate. And even someone tries to sign data with revoked certificate, signature will become invalid.http://en-us.sysadmins.lv

I understand the first answer. However you say "it is not possible to sign any new data with revoked certificate". Why not? If I have the cert on my PC whats to stop my from using it to sign code even. I could just as easily sign code with a self signed certficate so whats to stop my using a cert that I have in my possesion, even if its revoked?

> Why not? because it is revoked and signature check will fail in any way. Therefore it is not necessary to try to sign any data with revoked certificate.http://en-us.sysadmins.lv

> Why not? because it is revoked and signature check will fail in any way. Therefore it is not necessary to try to sign any data with revoked certificate. http://en-us.sysadmins.lv Are you assumng here that whatever function I am using to sign my code the Certificates CRL is being checked first?

No. I just want to say that this is useless. Technically you can sign data with revoked certificate, however any signature checking function will fail when it attempts to validate signature.http://en-us.sysadmins.lv

If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation. Well, that depends. The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid.

On Tue, 1 Mar 2011 08:59:27 +0000, Fredrik DXter Jonsson wrote: If code signature was timestamped, the signature will be considered as valid, even if certificate was revoked after signing operation. Well, that depends. The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid. How exactly would one go about doing this? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Compatible: Gracefully accepts erroneous data from any source.

> The CA administrator could revoke the certificate retroactively by specifying an earlier date when revoking the certificate. Thereby, all signatures after the specified revocation date are being treated as invalid. yes. This is correct. Accoriding to RFC 5280 §5.3.2: The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry, which is the date at which the CA processed the revocation. When a revocation is first posted by a CRL issuer in a CRL, the invalidity date may precede the date of issue of earlier CRLs, but the revocation date SHOULD NOT precede the date of issue of earlier CRLs. Whenever this information is available, CRL issuers are strongly encouraged to share it with CRL users. http://en-us.sysadmins.lv

How exactly would one go about doing this? In ADCS: Right click on the certificate in Issued Certificates and choose -> All Tasks -> Revoke Certificate. That gives you this sceen that allows you to specify revocation reason and revocation date.

On Tue, 1 Mar 2011 11:57:43 +0000, Fredrik DXter Jonsson wrote: How exactly would one go about doing this? In ADCS: Right click on the certificate in Issued Certificates and choose -> All Tasks -> Revoke Certificate. That gives you this sceen <http://www.ghostzone.net/certificate_revocation.png> that allows you to specify revocation reason and revocation date. Thanks! I can't believe that the number of times I've been in that UI and never really noticed the date field. :-) Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Disclaimer: Any errors in spelling, tact, or fact are transmission errors.

Paul, this functionality was added only in Windows Server 2008.http://en-us.sysadmins.lv