Is this something we (as consumers of FreeBSD) need to be aware
ml at my.gd
Thu Jun 7 07:40:41 UTC 2012
On 7 Jun 2012, at 01:54, Robert Bonomi <bonomi at mail.r-bonomi.com> wrote:
>> From owner-freebsd-questions at freebsd.org Wed Jun 6 18:13:09 2012
>> Date: Thu, 07 Jun 2012 00:09:54 +0100
>> From: Bruce Cran <bruce at cran.org.uk>
>> To: Robert Bonomi <bonomi at mail.r-bonomi.com>
>> Cc: freebsd-questions at freebsd.org
>> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
>> On 06/06/2012 20:27, Robert Bonomi wrote:
>>> Suppose I put up a web app that takes an executable as input, signs it
>>> with my key, and returns the signed filt to the submitter. I don't
>>> divulge the key to anyone, just use it on 'anything'. Anybody
>>> attempting to revoke on _that_ basis is asking for a lawsuit.
>> To me it would be perfectly reasonable to revoke the key as soon as you
>> signed the first piece of malware.
> It may seem reasonable to you, but is there -legal- basis to do so?
> 'signing' only provides assurance of the identity of the signer. I did
> sign it. The key has not been compromised. The software in question
> is tracable to the signer, but the signer never claimed it was 'error free',
> what conract or statute did they breach by doing the signing?
Signing anything and everything defeats the purpose the key and this whole charade are implemented for.
Under the contract's undoubtedly carefully penned clauses, this would allow for a key revocation.
Make no mistake, they'll go over that contract for several weeks, giving themselves as much manoeuvring room as possible.
More information about the freebsd-questions