R-T-BI mean I've always felt relying on code-signing certificates rather than common sense isn't teaching the user good computing habits anyways. Code-signing is an excuse not to learn properly, in short. When it works, sure, it works. And when it fails, it fails hard, like here.

Why not just teach people?

Oh right... because, we're dealing with a population of computer illiterate potatoes. I keep forgetting.

I'm sorry I say it that harshly, but you know it's true.

Well we do tend to be A large networks "computer person" which is actually quite telling in itself re blind leading the blind.

ncrsthe timestamping countersignature prevents using those leaked CAs for signing new software, under normal circumstances.

Not entirely, because timestamp requirement doesn't apply to certs issued before July 29, 2015. Both drivers were issued before that date.

docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

Exceptions

Cross-signed drivers are still permitted if any of the following are true:

• The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
• Secure Boot is off in the BIOS.
• Drivers was signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.

windwhirlNot entirely, because timestamp requirement doesn't apply to certs issued before July 29, 2015. Both drivers were issued before that date.

docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

Leave it to Microsoft to implement an established security mechanism, until nothing's left of it :slap:

bugLeave it to Microsoft to implement an established security mechanism, until nothing's left of it :slap:

This is Nvidia's problem, first and foremost. They should have destroyed the signing certs the moment they expired.

windwhirlThis is Nvidia's problem, first and foremost. They should have destroyed the signing certs the moment they expired.

Try using an expired certificate in a web browser and then get back to me, ok?

bugTry using an expired certificate in a web browser and then get back to me, ok?

Because hardware is the same thing as a webpage.

windwhirlBecause hardware is the same thing as a webpage.

Certificate handling is always a software affair.
Who ever talked hardware in this thread?

bugCertificate handling is always a software affair.
Who ever talked hardware in this thread?

OK, tell me then: do people throw their hardware into the trash the moment is 3 years old?

What do you think the certs were being used for?

windwhirlOK, tell me then: do people throw their hardware into the trash the moment is 3 years old?

What do you think the certs were being used for?

Wth does that have to do with Windows deciding it should not tell you you're being presented with an expired certificate?

windwhirlNot entirely, because timestamp requirement doesn't apply to certs issued before July 29, 2015. Both drivers were issued before that date.

docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

As far as I understood this page it's not about timestamp counter-signature, but about cross-signing with another trusted CA (akin to what Let's Encrypt did to broaden compatibility by having an older, established CA cross-sign their intermediary CA). It also says that drivers for modern versions of Win10 (with Secure Boot) are to be signed by Microsoft, and not NVidia so they are most likely not affected by this entire event.
Either way this problem is not about signing drivers, but general code signature generation. In the OP there's a screenshot of Explorer's view with "Timestamp: unavailable". The interesting part is that there's no "Details" view visible because it probably would show that the signature is invalid due to missing timestamp. The last screenshot also shows failed validation.

I'm suspecting this entire news piece is PR for the group that stole NV's data going something like this: "look, we have the private keys to older code signing certificates, you probably are wondering if we have the current ones, we do, but for a price".