I was recently asked why AIR fetches a Thawte CRL (from http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl) every time an application is installed--even if the application was signed with a certificate from another CA. It turns out there is a good reason for this, and the clue is in the URL itself.
By default, all AIR application signatures are timestamped. Timestamps are created by a timestamp server, and are themselves signatures. When AIR validates the timestamp signature, it downloads the CRL associated with the timestamp signing certificate--just like it would when validating any other signature. And the Thawte timestamp server uses a certificate that--no surprise here--has a CRL hosted by Thawte.
This default is easy to override using the "-tsa" option to the AIR file packaging tool, adt. A value of "-tsa none" turns off timestamps entirely. To specify an alternate timestamp server, specify the URL of that server after the -tsa flag.
For more on AIR code signing, including why timestamping is used, take a look at Code Signing in Adobe AIR.
Leave a comment