Compromise: When to Revoke Certificates

Monday, November 21, 2011 @ 02:11 PM gHale


With all the problems suffered because of tainted digital certificates, one also has to remember revoking a certificate does not automatically invalidate things like software signatures.

What matters is the revocation date, which determines the point in time after which a signature will no longer be valid.

RELATED STORIES
Microsoft Fixes SSL Miscue
DigiNotar Out as CA Provider
CA Back Running after Audit
More Firms Flee DigiNotar

The signatures of several Trojans ended up validated by Windows as a result, and no warning released before installing the malware, according to a report from anti-virus specialist Norman.

The Trojans ended up signed with a key stolen from a Japanese company. The corresponding certificate suffered a compromise July 29 2011 and ended up revoked by its issuing Certificate Authority (CA), VeriSign, which is now part of Symantec. However, that date was also the revocation date.

Unfortunately, the Trojans appeared signed with the key April 13, 2010, July 3, 2010, and January 2, 2011 – long before the revocation date. Because of this, the signature code remained valid for the older signatures, and systems would only invalidate signatures that made after the revocation date.

Norman believes the issue is down to Certificate Authorities being overly cautious when setting the revocation date, and that they tend to choose a date that is too late over one that is too early.

One of the likely reasons for this is CAs want to avoid invalidating software and documents signed by legitimate customers. In the aforementioned case, after Norman notified them, Symantec changed the revocation date to April 12, 2010, which invalidated the Trojans’ signatures.



Leave a Reply

You must be logged in to post a comment.