Hacker News new | ask | show | jobs
by iancarroll 1486 days ago
> Revoke certificates for old compromised versions of an installer so that downgrade attacks are not possible.

Worth noting that Windows accepts signatures from revoked code signing certificates so long as it has a signed timestamped before the revocation.
1 comments
hamandcheese 1486 days ago
….and I assume the revocation can’t be back-dated?
link
ComputerGuru 1486 days ago
timestamps must come from a globally recognized signed source, like digicert or verisign.
link
iancarroll 1486 days ago
The CA could backdate the CRL’s revocation timestamp if they wanted, but it seems unlikely and presumably it’s not allowed.
link