Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Mon Feb 25 2013 - 10:42:46 EST


On Mon, Feb 25, 2013 at 03:33:12PM +0100, Florian Weimer wrote:
> * Matthew Garrett:
>
> > I don't think that's a problem. Just put the original binary hash in the
> > certificate before signing it, and extend the X.509 parser to refuse
> > certificates that have a tag that's present in dbx.
>
> Why would Microsoft put a hash of something into dbx which they
> haven't signed? Wouldn't this make them subject to a
> denial-of-service attack on their platform if they revoke something
> with surprising consequences?

? The entire point is that the key is in a binary that Microsoft have
signed.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/