> Revoke certificates for old compromised versions of an installer so that downg... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		iancarroll on May 24, 2022 \| parent \| context \| favorite \| on: Zoom: Remote Code Execution with XMPP Stanza Smugg... > Revoke certificates for old compromised versions of an installer so that downgrade attacks are not possible. Worth noting that Windows accepts signatures from revoked code signing certificates so long as it has a signed timestamped before the revocation.

hamandcheese on May 24, 2022 [–]

….and I assume the revocation can’t be back-dated?

ComputerGuru on May 24, 2022 | [–]

timestamps must come from a globally recognized signed source, like digicert or verisign.

iancarroll on May 24, 2022 | | [–]

The CA could backdate the CRL’s revocation timestamp if they wanted, but it seems unlikely and presumably it’s not allowed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact