Zone alarm, you have failed me for the first time... and the last. (BLODA news)

Warren Young
Mon Jul 20 21:42:00 GMT 2009

Dave Korn wrote:
> Newer versions of ZA don't run on w2k

Is Win2K still running on old time zone data, or did MS finally cave to 
the pressure to release that patch without requiring a $1000 payment?

Anyway, that was enough of a scare for me.  No more Win2K on boxes that 
have to remain patched.  I now use Win2K only to run IE6 in VMs for web 
site testing.  (Could use old XP, but Win2K is more suited to VM use.)

> should I be able to undermine the whole of PKI just by
> winding the clock back on my PC?  Expired should mean expired revoked deleted
> and not available again even if you try IMO ...

Expiration is not the same thing as revocation.

Expiration just means you're delinquent on the Verisign Vig.  The cert 
doesn't stop being useful.  The CA just stops certifying that the holder 
is who he says he is.  A client in possession of such a cert should warn 
you, but let you keep using it.  In your particular case, this means you 
shouldn't have had to set your clock back, as you aren't actually 
hacking anything by doing that.  More like working around a bug.

Revocation means the cert's fingerprint gets put on a CRL, which PKI 
clients are supposed to download and use to reject certs, whether 
expired or no.  This can happen, e.g., because the private key fell into 
the wrong hands.  No one is supposed to trust anything signed by that 
key any more, because we can't trust those who have the key.  The CA 
doesn't get to do this on their own, it's something pushed to the CA on 
behalf of their client.

More information about the Cygwin-talk mailing list