Zone alarm, you have failed me for the first time... and the last. (BLODA news)
Mon Jul 20 21:42:00 GMT 2009
Dave Korn wrote:
> Newer versions of ZA don't run on w2k
Is Win2K still running on old time zone data, or did MS finally cave to
the pressure to release that patch without requiring a $1000 payment?
Anyway, that was enough of a scare for me. No more Win2K on boxes that
have to remain patched. I now use Win2K only to run IE6 in VMs for web
site testing. (Could use old XP, but Win2K is more suited to VM use.)
> should I be able to undermine the whole of PKI just by
> winding the clock back on my PC? Expired should mean expired revoked deleted
> and not available again even if you try IMO ...
Expiration is not the same thing as revocation.
Expiration just means you're delinquent on the Verisign Vig. The cert
doesn't stop being useful. The CA just stops certifying that the holder
is who he says he is. A client in possession of such a cert should warn
you, but let you keep using it. In your particular case, this means you
shouldn't have had to set your clock back, as you aren't actually
hacking anything by doing that. More like working around a bug.
Revocation means the cert's fingerprint gets put on a CRL, which PKI
clients are supposed to download and use to reject certs, whether
expired or no. This can happen, e.g., because the private key fell into
the wrong hands. No one is supposed to trust anything signed by that
key any more, because we can't trust those who have the key. The CA
doesn't get to do this on their own, it's something pushed to the CA on
behalf of their client.
More information about the Cygwin-talk