From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 17:23:20 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F7A91065692 for ; Wed, 6 Jun 2012 17:23:20 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id CD6438FC12 for ; Wed, 6 Jun 2012 17:23:19 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id q56HNkaF032427 for freebsd-questions@freebsd.org; Wed, 6 Jun 2012 12:23:46 -0500 (CDT) Date: Wed, 6 Jun 2012 12:23:46 -0500 (CDT) From: Robert Bonomi Message-Id: <201206061723.q56HNkaF032427@mail.r-bonomi.com> To: freebsd-questions@freebsd.org In-Reply-To: <201206061630.q56GUJj7093472@fire.js.berklix.net> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 17:23:20 -0000 "Julian H. Stacey" wrote: > > > I do wonder about that. What incentive does the possesor of a signing key > > have to keep it secret? > > Contract penalty clause maybe ? Lawyers ? Contract with _whom_? The party you pay money to -- Verisign -- simply certifies that the party buying the certificate/signing-key -is- who they claim to be. It is *entirely* up to the owner of that certificate/signing-key -who- they allow to use it. If someone/anyone attempts to 'revoke' that certificate/key _other_ than at the request of the owner of that certificate/key, *THAT* party is subject to legal sanctions. Among other things, 'false persona', 'tortuous inter- ference in a business relationship', just to name a few. There is, however, an 'interesting' legal question -- *if* a party were to let 'anybody' use their certificate/key, what is the certificat/key owner's legal liability if someone uses that key to sign malware?