Collaborate Disseminate
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
How does a timestamp prevent use of a leaked expired certificate to sign a malignant executable?
If it is supposedly fine to share or leak expired certificates then why is it safe to allow use of such certificate to sign code if the signat… Continue reading Why can an expired certificate be used to sign a JAR file?
I am applying for a new code signing certificate and I specified to the CA I need a certificate that will be time stamped such that any assembly signed during the valid date range will still execute even beyond that date range. They sent … Continue reading What does the OID value in my CSR mean?
RFC 3161 – 4.3 states that:
Thus, any token signed by the TSA SHOULD be time-stamped again (if authentic copies of old CRLs are available) or notarized (if they aren’t) at a later date to renew the trust that exists in the TSA’s signature… Continue reading How Can A Timestamp Be Redone Without Invalidating the Signature?
We use an external scanner (Qualys) to scan our external assets. We have a firewall in front of the external assets, but it is configured to whitelist the scanner so that the external assets get scanned in-depth. But the firewall is also c… Continue reading ICMP timestamp – firewall configured to drop timestamp request, but vulnerability scanner can send request and get a response
Both hosts have just their public and private key pair (but they do not have the other party’s public key).
Bob should be authenticated
Assume that the two hosts share clocks that are synced, i.e timestamps can be used.
I have not found … Continue reading How can Alice ping and authenticate Bob without any of them sharing their public keyes beforehand
I have a web app that communicates with a backend server, and the users of the web app are organisations that each have a single login for the entire organisation. The app is meant to be used for example on TV’s in the cafeteria to display… Continue reading Concatenating timestamp to data before encrypting it – is this a commonly used technique?
I’m currently in the process of writing a program that:
Reads a binary file (a C++ program) and creates a SHA256 hash of the data (like a checksum)
Use this calculated hash and a self signed CA certificate to create a CMS signature using … Continue reading Interaction of a Code Signature and a Timestamp token from a TSA
We started with openssl dgst to sign and verify packages successfully. Then we thought we should do a timestamped signatures. That’s when the process is bit unclear.
We used the openssl ts commands to independently produce and verify signa… Continue reading Using Openssl for Package signing with timestamp
How do I acquire the means to prove in the future that I had possission of a
file now, without relying on the integrity of a single entity? (I believe one
way of doing it would be to put the file through SHA1, and send a minimal
amount of… Continue reading Proving that a file existed at a time