|
|
|
|
|
|
by tzs
1066 days ago
|
|
|
I have no idea how validity works for the systems these keys are used in, but I do know that in general there are two ways that key or certificate based verification handles an expired key or certificate. Anyone know which of these is the way whatever Microsoft was using these things for works? In one of them, which is the way TSL verification works, it goes something like this when checking certificate Cn that is signed by Cn-1 which is signed by ... is signed by C0. 1 time_check = now()
2 for cert in Cn to C0
3 if time_check < cert.valid_from || time_check > cert.valid_to
4 return EXPIRED
5 return NOT_EXPIRED
Each certificate's expiration is checked against the current time.The other, which is used for code signing, goes something like this: 1 time_check = now()
2 for cert in Cn to C0
3 if time_check < cert.valid_from || time_check > cert.valid_to
4 return EXPIRED
5 time_check = cert.issue_time
6 return NOT_EXPIRED
Cn is checked against the current time. The rest of them are checked against the time at which they signed the next downstream certificate.I understand why code signing works like that. It's essentially digital notarization, and you don't want your notarized documents to become no longer notarized just because the notary public you used has since stopped being a notary public and let their license expire. |
|
|