Paco (2026: New) Hope

Amateur professional #selfhost sysadmin. Professional amateur #cloud #security at #AWS. Also fond of #cats, #cigars, #whiskey and #pipes. I like board games and some video games. I am #covid cautious and I still #wearamask. Opinions are my own, but they can be yours too. 100% Organic:,No artificial colors, preservatives, or intelligence added.

  • 0 Posts
  • 5 Comments
Joined 7 years ago
Cake day: September 27th, 2018
  • Paco (2026: New) Hope@infosec.exchangetoTechnology@beehaw.orgHow important is it to verify the signing certificate...English
    5·
    3 years ago

    @hedge doing the math is one thing. Deciding on the semantics of what it MEANS is something else. If it verifies, what does that mean? Does it mean the contents of a file are “good” (valid, trustworthy, not malicious, complete, etc)? Does it mean you know WHO signed it? And what does that WHO really mean? A person, an organisation? Was the user that caused the signature authorised to do so? What do you believe about the identity, knowing that the certificate validated?

    And if the certificate DOESNT verify…what does it mean? Does it mean the contents were modified? Does it mean the contents are invalid? And HOW does it fail to verify? Was the signature made before the NotBefore date? Was the signature made after the NotAfter Date? Is the certificate fine and the signature valid, but the certificate who signed the certificate who made the signature somehow untrustworthy? Or maybe the certificate you have is a tampered certificate where the identity has been modified, but the cryptographic math of the signature on your file checks out. So the contents of the file are probably fine.

    We don’t ask these questions. And we definitely don’t answer them. As James Mickens says in his talk about computer science, “The stuff is what the stuff is, man.”