tracker issue : CF-3373284

select a category, or use search below
(searches all categories and all time range)

Add a backup certificate so that future certificate revocations don't require a manual update

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): Adam Tuttle / Adam Tuttle (Adam Tuttle)

Created: 11/28/2012

Components: Hot Fix Installer

Versions: 10.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Platforms All

Vote Count: 1

When the Adobe code signing certificate was compromised, everyone had to manually install an update. This would not have been necessary if a "backup" key was available; used only to replace the primary key in cases like this one.

If an update fails verification with the primary key, verify it against the backup key. If it passes using the backup key, allow it to run.

This could have prevented the need for a manual update to ColdFusion, something that many people still have hurt feelings over.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3373284

External Customer Info:
External Company:  
External Customer Name: Adam.Tuttle
External Customer Email:  
External Test Config: All environments



This idea was born out of a blog post I wrote defending the manual update. See the comments here:
Comment by External U.
17104 | November 28, 2012 08:33:00 AM GMT
Vote must be between 25 and 4000 characters
Vote by External U.
17107 | November 28, 2012 08:38:32 AM GMT
and what happens when the backup is compromised?
Comment by External U.
17105 | November 28, 2012 02:30:40 PM GMT
The code signing certificate was indeed compromised but it is not something that one can envision. There is no need to build a solution for such an extreme remote scenario.
Comment by Rupesh K.
17106 | November 29, 2012 12:14:53 AM GMT