Compromised certificates: Revocations alone are insufficient
Source: H Security - Posted by Alex   
Privacy Revoking a digital certificate does not automatically invalidate, for instance, software signatures that have been made with this certificate. What matters is the revocation date, which determines the point in time after which a signature will no longer be validated. According to a report from anti-virus specialist Norman, the signatures of several recently discovered trojans were validated by Windows as a result, and no warning was issued before installing the malware. The trojans were signed with a key that had been stolen from a Japanese company. The corresponding certificate was reported as compromised on 29 July 2011 and revoked by its issuing Certificate Authority (CA), VeriSign, which is now part of Symantec. However, that date was also entered as the revocation date.

Read this full article at H Security

Only registered users can write comments.
Please login or register.

Powered by AkoComment!