R
RonnBlack
We have a number of applications that are deployed using ClickOnce and we use
the VeriSign timestamping service. The VeriSign timestamping service is being
upgraded to use SHA-1 instead of MD5 and I need to gauge how this will affect
our applications.
From what I understand when the application is signed the TimeStamping
Service is called to generate a hashed timestamp that is inserted in the code
with the signature. When the client verifies the signature it verifies the
timestamp and if it is valid it ignores the expiration date of the
certificate.
This means that nothing should change on the deployment side but it will
affect client machines with older operating systems (Pre Win2k) that don't
know how to deal with SHA1 timestamp.
Can anyone confirm this information and tell me if any other problems await
me?
the VeriSign timestamping service. The VeriSign timestamping service is being
upgraded to use SHA-1 instead of MD5 and I need to gauge how this will affect
our applications.
From what I understand when the application is signed the TimeStamping
Service is called to generate a hashed timestamp that is inserted in the code
with the signature. When the client verifies the signature it verifies the
timestamp and if it is valid it ignores the expiration date of the
certificate.
This means that nothing should change on the deployment side but it will
affect client machines with older operating systems (Pre Win2k) that don't
know how to deal with SHA1 timestamp.
Can anyone confirm this information and tell me if any other problems await
me?