From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22281 invoked by alias); 20 Jul 2009 21:42:33 -0000 Received: (qmail 22270 invoked by uid 22791); 20 Jul 2009 21:42:31 -0000 X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_05 X-Spam-Check-By: sourceware.org Received: from etr-usa.com (HELO etr-usa.com) (130.94.180.135) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 20 Jul 2009 21:42:23 +0000 Received: (qmail 77259 invoked by uid 13447); 20 Jul 2009 21:42:21 -0000 Received: from unknown (HELO [172.20.0.42]) ([71.213.146.87]) (envelope-sender ) by 130.94.180.135 (qmail-ldap-1.03) with SMTP for ; 20 Jul 2009 21:42:21 -0000 Message-ID: <4A64E479.2000007@etr-usa.com> Date: Mon, 20 Jul 2009 21:42:00 -0000 From: Warren Young User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: The Vulgar and Unprofessional Cygwin-Talk List Subject: Re: Zone alarm, you have failed me for the first time... and the last. (BLODA news) References: <4A63E16D.2010503@gmail.com> In-Reply-To: <4A63E16D.2010503@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-talk-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: cygwin-talk-owner@cygwin.com Reply-To: The Vulgar and Unprofessional Cygwin-Talk List Mail-Followup-To: cygwin-talk@cygwin.com X-SW-Source: 2009-q3/txt/msg00023.txt.bz2 Dave Korn wrote: > Newer versions of ZA don't run on w2k Is Win2K still running on old time zone data, or did MS finally cave to the pressure to release that patch without requiring a $1000 payment? Anyway, that was enough of a scare for me. No more Win2K on boxes that have to remain patched. I now use Win2K only to run IE6 in VMs for web site testing. (Could use old XP, but Win2K is more suited to VM use.) > should I be able to undermine the whole of PKI just by > winding the clock back on my PC? Expired should mean expired revoked deleted > and not available again even if you try IMO ... Expiration is not the same thing as revocation. Expiration just means you're delinquent on the Verisign Vig. The cert doesn't stop being useful. The CA just stops certifying that the holder is who he says he is. A client in possession of such a cert should warn you, but let you keep using it. In your particular case, this means you shouldn't have had to set your clock back, as you aren't actually hacking anything by doing that. More like working around a bug. Revocation means the cert's fingerprint gets put on a CRL, which PKI clients are supposed to download and use to reject certs, whether expired or no. This can happen, e.g., because the private key fell into the wrong hands. No one is supposed to trust anything signed by that key any more, because we can't trust those who have the key. The CA doesn't get to do this on their own, it's something pushed to the CA on behalf of their client.