Is this something we (as consumers of FreeBSD) need to be aware of?

Damien Fleuriot ml at
Wed Jun 6 18:45:02 UTC 2012

On 6/6/12 7:23 PM, Robert Bonomi wrote:
> "Julian H. Stacey" <jhs at> wrote:
>>> I do wonder about that. What incentive does the possesor of a signing key 
>>> have to keep it secret? 
>> Contract penalty clause maybe ? Lawyers ?
> Contract with _whom_?  The party you pay money to -- Verisign -- simply
> certifies that the party buying the certificate/signing-key  -is- who they 
> claim to be.
> It is *entirely* up to the owner of that certificate/signing-key -who- they
> allow to use it.
> If someone/anyone attempts to 'revoke' that certificate/key _other_ than
> at the request of the owner of that certificate/key, *THAT* party is subject
> to legal sanctions.  Among other things, 'false persona', 'tortuous inter-
> ference in a business relationship', just to name a few.
> There is, however, an 'interesting' legal question -- *if* a party were to
> let 'anybody' use their certificate/key, what is the certificat/key owner's
> legal liability if someone uses that key to sign malware?

Standard contract writeup stipulates that only a limited set of
'authorized' company representatives be given access to the Signing Key.

If the key should be divulged, then the key may be revoked by the issuer.

More information about the freebsd-questions mailing list