Is this something we (as consumers of FreeBSD) need to be aware
of?
Damien Fleuriot
ml at my.gd
Thu Jun 7 07:40:41 UTC 2012
On 7 Jun 2012, at 01:54, Robert Bonomi <bonomi at mail.r-bonomi.com> wrote:
>> From owner-freebsd-questions at freebsd.org Wed Jun 6 18:13:09 2012
>> Date: Thu, 07 Jun 2012 00:09:54 +0100
>> From: Bruce Cran <bruce at cran.org.uk>
>> To: Robert Bonomi <bonomi at mail.r-bonomi.com>
>> Cc: freebsd-questions at freebsd.org
>> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
>> of?
>>
>> On 06/06/2012 20:27, Robert Bonomi wrote:
>>> Suppose I put up a web app that takes an executable as input, signs it
>>> with my key, and returns the signed filt to the submitter. I don't
>>> divulge the key to anyone, just use it on 'anything'. Anybody
>>> attempting to revoke on _that_ basis is asking for a lawsuit.
>>
>> To me it would be perfectly reasonable to revoke the key as soon as you
>> signed the first piece of malware.
>
> It may seem reasonable to you, but is there -legal- basis to do so?
>
> 'signing' only provides assurance of the identity of the signer. I did
> sign it. The key has not been compromised. The software in question
> is tracable to the signer, but the signer never claimed it was 'error free',
> what conract or statute did they breach by doing the signing?
>
Signing anything and everything defeats the purpose the key and this whole charade are implemented for.
Under the contract's undoubtedly carefully penned clauses, this would allow for a key revocation.
Make no mistake, they'll go over that contract for several weeks, giving themselves as much manoeuvring room as possible.
More information about the freebsd-questions
mailing list