Impact of Certificate Revocation on Software Integrity and Risks

Revoking a digital certificate does not automatically invalidate, for instance, software signatures that have been made with this certificate. What matters is the revocation date, which determines the point in time after which a signature will no longer be validated. According to a report from anti-virus specialist Norman, the signatures of several recently discovered trojans were validated by Windows as a result, and no warning was issued before installing the malware. The trojans were signed with a key that had been stolen from a Japanese company. The corresponding certificate was reported as compromised on 29 July 2011 and revoked by its issuing Certificate Authority (CA), VeriSign, which is now part of Symantec. However, that date was also entered as the revocation date.

The link for this article located at H Security is no longer available.