Hacker News new | past | comments | ask | show | jobs | submit login

How does this help? In order to provide any security you would need to limit the time from signing, which would be very similar to just issuing the certificate for that much longer. There is no way to verify that the binary was actually signed at that time.



It uses trusted timestamping servers run by certificate authorities to sign the timestamp information.


Ok, I didn't realize that. But it still doesn't solve the problem of compromising an old certificate and creating a fake signature with your own time.


A timestamp authority is trusted in the same way that a certificate signing authority is, so you'd have to compromise a timestamp authority as well as the private keys paired with the certificate. A self-timestamped file would have the same level of trust as a file signed with a self-signed certificate.


Expired and compromised are two different things. If compromised, it will be published in a CRL with a reason flag.


The reason why certificates expire is because they will become easy to crack as computers get faster. So this would effectively be removing the expiry date. Now you can crack any old certificate and sign things claiming that you did it before the certificate expired.


As someone above has already said.

To do this, you'd need to compromise or convince a trusted timestamping authority to sign your signing request with an old date.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: