Is this something we (as consumers of FreeBSD) need to be aware
bonomi at mail.r-bonomi.com
Wed Jun 6 17:23:20 UTC 2012
"Julian H. Stacey" <jhs at berklix.com> wrote:
> > I do wonder about that. What incentive does the possesor of a signing key
> > have to keep it secret?
> Contract penalty clause maybe ? Lawyers ?
Contract with _whom_? The party you pay money to -- Verisign -- simply
certifies that the party buying the certificate/signing-key -is- who they
claim to be.
It is *entirely* up to the owner of that certificate/signing-key -who- they
allow to use it.
If someone/anyone attempts to 'revoke' that certificate/key _other_ than
at the request of the owner of that certificate/key, *THAT* party is subject
to legal sanctions. Among other things, 'false persona', 'tortuous inter-
ference in a business relationship', just to name a few.
There is, however, an 'interesting' legal question -- *if* a party were to
let 'anybody' use their certificate/key, what is the certificat/key owner's
legal liability if someone uses that key to sign malware?
More information about the freebsd-questions