Is this something we (as consumers of FreeBSD) need to be aware of?

Robert Bonomi bonomi at
Wed Jun 6 19:27:04 UTC 2012

> From owner-freebsd-questions at  Wed Jun  6 13:46:43 2012
> Date: Wed, 06 Jun 2012 20:44:57 +0200
> From: Damien Fleuriot <ml at>
> To: freebsd-questions at
> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
>  of?
> On 6/6/12 7:23 PM, Robert Bonomi wrote:
> > "Julian H. Stacey" <jhs at> wrote:
> >>
> >>> I do wonder about that. What incentive does the possesor of a signing key 
> >>> have to keep it secret? 
> >>
> >> Contract penalty clause maybe ? Lawyers ?
> > 
> > Contract with _whom_?  The party you pay money to -- Verisign -- simply
> > certifies that the party buying the certificate/signing-key  -is- who they 
> > claim to be.
> > 
> > It is *entirely* up to the owner of that certificate/signing-key -who- they
> > allow to use it.
> > 
> > If someone/anyone attempts to 'revoke' that certificate/key _other_ than
> > at the request of the owner of that certificate/key, *THAT* party is subject
> > to legal sanctions.  Among other things, 'false persona', 'tortuous inter-
> > ference in a business relationship', just to name a few.
> > 
> > There is, however, an 'interesting' legal question -- *if* a party were to
> > let 'anybody' use their certificate/key, what is the certificat/key owner's
> > legal liability if someone uses that key to sign malware?
> Standard contract writeup stipulates that only a limited set of
> 'authorized' company representatives be given access to the Signing Key.

Which simply begs the question. _who_ decides who is or is not an 'authorized'
representative?   Or how many such persons are allowed?

> If the key should be divulged, then the key may be revoked by the issuer.

Suppose I put up a web app that takes an executable as input, signs it with
my key, and returns the signed filt to the submitter.  I don't divulge the
key to anyone, just use it on 'anything'.  Anybody attempting to revoke on
_that_ basis is asking for a lawsuit.

More information about the freebsd-questions mailing list