This is the mail archive of the cygwin-talk mailing list for the cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Zone alarm, you have failed me for the first time... and the last. (BLODA news)


Dave Korn wrote:
Newer versions of ZA don't run on w2k

Is Win2K still running on old time zone data, or did MS finally cave to the pressure to release that patch without requiring a $1000 payment?


Anyway, that was enough of a scare for me. No more Win2K on boxes that have to remain patched. I now use Win2K only to run IE6 in VMs for web site testing. (Could use old XP, but Win2K is more suited to VM use.)

should I be able to undermine the whole of PKI just by
winding the clock back on my PC?  Expired should mean expired revoked deleted
and not available again even if you try IMO ...

Expiration is not the same thing as revocation.


Expiration just means you're delinquent on the Verisign Vig. The cert doesn't stop being useful. The CA just stops certifying that the holder is who he says he is. A client in possession of such a cert should warn you, but let you keep using it. In your particular case, this means you shouldn't have had to set your clock back, as you aren't actually hacking anything by doing that. More like working around a bug.

Revocation means the cert's fingerprint gets put on a CRL, which PKI clients are supposed to download and use to reject certs, whether expired or no. This can happen, e.g., because the private key fell into the wrong hands. No one is supposed to trust anything signed by that key any more, because we can't trust those who have the key. The CA doesn't get to do this on their own, it's something pushed to the CA on behalf of their client.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]