[SSL Observatory] Fwd: Adobe code-signing cert compromised from an HSM

Phillip Hallam-Baker hallam at gmail.com
Mon Oct 1 13:47:35 PDT 2012


Sounds like revoking that cert would cause a large amount of existing
software to stop installing, possibly stop running. That would cause a
considerable amount of disruption in itself. What is the best decision for
one security concern is not necessarily the best for another.

There are multiple code signing schemes in use with little consistency
between them. Ideally code signing should sign the code itself but in many
cases only signs the distribution. Ideally it should be possible to revoke
individual signatures but in practice the signer has to be revoked.

It would be a lot better if we could get the platform providers to all
agree on a single approach and apply it consistently but this has not
occurred.


On Mon, Oct 1, 2012 at 4:30 PM, Lee Fisher <blibbet at gmail.com> wrote:

> FYI
>
> -------- Original Message --------
> Subject: [DC206] Adobe code-signing cert compromised from an HSM
> Date: Mon, 1 Oct 2012 12:13:43 -0700
> From: Duane Blanchard <dblanchard at gmail.com>
> To: list at dc206.org
>
> One of Adobe's code-signing certs was compromised from a physically
> secure HSM last week. The cert was used, among other things, to sign a
> Windows utility that dumped Windows password hashes.
>
> "Adobe plans to revoke the certificate on October 4 for all software
> code signed after July 10, 2012. Adobe is in the process of issuing
> updates signed using a new digital certificate for all affected
> products."
>
> I'm curious what prevents Adobe from revoking the cert immediately.
> Also, the security advisory below gives the "MD5 hash of [the] file
> with [the] signature removed." I don't see how the signature could be
> removed, even when one holds the secret key. Could someone please
> explain that?
>
> Adobe's blog post on it:
> http://blogs.adobe.com/asset/**2012/09/inappropriate-use-of-**
> adobe-code-signing-**certificate.html<http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html>
>
> Adobe's security advisory on it:
> http://www.adobe.com/support/**security/advisories/apsa12-01.**html<http://www.adobe.com/support/security/advisories/apsa12-01.html>
>
> Thanks,
>
> Duane
>
>
>
>
>


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20121001/d1fa505b/attachment.html>


More information about the Observatory mailing list