this post was submitted on 20 Jun 2023
12 points (100.0% liked)

Technology

37603 readers
558 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
Los@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org
12
How important is it to verify the signing certificate... (beehaw.org)
submitted 1 year ago by hedge@beehaw.org to c/technology@beehaw.org
9 comments fedilink hide all child comments
 

...of a file's SHA256 fingerprint? If I have my terminology correct here...

you are viewing a single comment's thread
view the rest of the comments
[–] paco@infosec.exchange 4 points 1 year ago

@hedge doing the math is one thing. Deciding on the semantics of what it MEANS is something else. If it verifies, what does that mean? Does it mean the contents of a file are “good” (valid, trustworthy, not malicious, complete, etc)? Does it mean you know WHO signed it? And what does that WHO really mean? A person, an organisation? Was the user that caused the signature authorised to do so? What do you believe about the identity, knowing that the certificate validated?

And if the certificate DOESNT verify…what does it mean? Does it mean the contents were modified? Does it mean the contents are invalid? And HOW does it fail to verify? Was the signature made before the NotBefore date? Was the signature made after the NotAfter Date? Is the certificate fine and the signature valid, but the certificate who signed the certificate who made the signature somehow untrustworthy? Or maybe the certificate you have is a tampered certificate where the identity has been modified, but the cryptographic math of the signature on your file checks out. So the contents of the file are probably fine.

We don’t ask these questions. And we definitely don’t answer them. As James Mickens says in his talk about computer science, “The stuff is what the stuff is, man.”