Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 06 Jun 2012 20:44:57 +0200
From:      Damien Fleuriot <ml@my.gd>
To:        freebsd-questions@freebsd.org
Subject:   Re: Is this something we (as consumers of FreeBSD) need to be aware of?
Message-ID:  <4FCFA529.1020703@my.gd>
In-Reply-To: <201206061723.q56HNkaF032427@mail.r-bonomi.com>
References:  <201206061723.q56HNkaF032427@mail.r-bonomi.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On 6/6/12 7:23 PM, Robert Bonomi wrote:
> "Julian H. Stacey" <jhs@berklix.com> wrote:
>>
>>> I do wonder about that. What incentive does the possesor of a signing key 
>>> have to keep it secret? 
>>
>> Contract penalty clause maybe ? Lawyers ?
> 
> Contract with _whom_?  The party you pay money to -- Verisign -- simply
> certifies that the party buying the certificate/signing-key  -is- who they 
> claim to be.
> 
> It is *entirely* up to the owner of that certificate/signing-key -who- they
> allow to use it.
> 
> If someone/anyone attempts to 'revoke' that certificate/key _other_ than
> at the request of the owner of that certificate/key, *THAT* party is subject
> to legal sanctions.  Among other things, 'false persona', 'tortuous inter-
> ference in a business relationship', just to name a few.
> 
> There is, however, an 'interesting' legal question -- *if* a party were to
> let 'anybody' use their certificate/key, what is the certificat/key owner's
> legal liability if someone uses that key to sign malware?
> 
>


Standard contract writeup stipulates that only a limited set of
'authorized' company representatives be given access to the Signing Key.

If the key should be divulged, then the key may be revoked by the issuer.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FCFA529.1020703>