Is this something we (as consumers of FreeBSD) need to be aware
of?
Robert Bonomi
bonomi at mail.r-bonomi.com
Wed Jun 6 19:27:04 UTC 2012
> From owner-freebsd-questions at freebsd.org Wed Jun 6 13:46:43 2012
> Date: Wed, 06 Jun 2012 20:44:57 +0200
> From: Damien Fleuriot <ml at my.gd>
> To: freebsd-questions at freebsd.org
> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
> of?
>
>
>
> On 6/6/12 7:23 PM, Robert Bonomi wrote:
> > "Julian H. Stacey" <jhs at berklix.com> wrote:
> >>
> >>> I do wonder about that. What incentive does the possesor of a signing key
> >>> have to keep it secret?
> >>
> >> Contract penalty clause maybe ? Lawyers ?
> >
> > Contract with _whom_? The party you pay money to -- Verisign -- simply
> > certifies that the party buying the certificate/signing-key -is- who they
> > claim to be.
> >
> > It is *entirely* up to the owner of that certificate/signing-key -who- they
> > allow to use it.
> >
> > If someone/anyone attempts to 'revoke' that certificate/key _other_ than
> > at the request of the owner of that certificate/key, *THAT* party is subject
> > to legal sanctions. Among other things, 'false persona', 'tortuous inter-
> > ference in a business relationship', just to name a few.
> >
> > There is, however, an 'interesting' legal question -- *if* a party were to
> > let 'anybody' use their certificate/key, what is the certificat/key owner's
> > legal liability if someone uses that key to sign malware?
>
> Standard contract writeup stipulates that only a limited set of
> 'authorized' company representatives be given access to the Signing Key.
Which simply begs the question. _who_ decides who is or is not an 'authorized'
representative? Or how many such persons are allowed?
> If the key should be divulged, then the key may be revoked by the issuer.
Suppose I put up a web app that takes an executable as input, signs it with
my key, and returns the signed filt to the submitter. I don't divulge the
key to anyone, just use it on 'anything'. Anybody attempting to revoke on
_that_ basis is asking for a lawsuit.
More information about the freebsd-questions
mailing list