0

I have read about the option to create certificates for signing codes and time stamping. why do we need both of them? I understand that it helps me when I need to increase the validity of my code, but why not using only one of them with bigger validity period?

For example, let's consider a code signing certificate with one year validity and a time stamping certificate of 2 years. Isn't it better to create only a code signing certificate with 2 years period?

when turning a code signing certificate into a crl, are all its signs invalid? How about turning a time stamping certificate into crl?

Is there a scenario when we would prefer to have a time stamping certificate without code signing certificate?

adi
  • 101
  • 8
  • To make sure that the code which is installed is authentic and up-to-date. Having timestamp you can implement anti-rollback policy. This is reduce a risk of exploiting found bugs in the old versions. – VovCA Jun 12 '18 at 20:14
  • You're asking a lot of different questions, but I think they are mostly based on the false assumption that a "timestamping certificate" is something that you need to buy as a software publisher. I will try to address that in my answer. You might get better help in the future though if you just ask one main question at a time. – David Grayson Jun 13 '18 at 19:35

1 Answers1

1

As a software publisher, you typically just buy one certificate, not two. You buy a code signing certificate, use it to make a signature, and then get that signature timestamped to prove that you made the signature before your code signing certificate expired. The timestamping is done by a server run by a certificate authority, and they sign the timestamp using their own certificate; you don't need to provide one at that point.

I don't think anything special happens when certificates in the chain of trust of your timestamp expire, but I could be wrong.

David Grayson
  • 141
  • 4
  • 1
    i see, so this option exists only in order to enable us to increase the validity time of the code signing certificate. – adi Jun 13 '18 at 19:39