From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  6 23:53:55 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AC8D8106567C
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 23:53:55 +0000 (UTC)
	(envelope-from bonomi@mail.r-bonomi.com)
Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120])
	by mx1.freebsd.org (Postfix) with ESMTP id 667478FC14
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 23:53:55 +0000 (UTC)
Received: (from bonomi@localhost)
	by mail.r-bonomi.com (8.14.4/rdb1) id q56NsMAA037016
	for freebsd-questions@freebsd.org; Wed, 6 Jun 2012 18:54:22 -0500 (CDT)
Date: Wed, 6 Jun 2012 18:54:22 -0500 (CDT)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
Message-Id: <201206062354.q56NsMAA037016@mail.r-bonomi.com>
To: freebsd-questions@freebsd.org
In-Reply-To: <4FCFE342.2050809@cran.org.uk>
Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
	of?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 23:53:55 -0000

> From owner-freebsd-questions@freebsd.org  Wed Jun  6 18:13:09 2012
> Date: Thu, 07 Jun 2012 00:09:54 +0100
> From: Bruce Cran <bruce@cran.org.uk>
> To: Robert Bonomi <bonomi@mail.r-bonomi.com>
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
>  of?
>
> On 06/06/2012 20:27, Robert Bonomi wrote:
> > Suppose I put up a web app that takes an executable as input, signs it 
> > with my key, and returns the signed filt to the submitter. I don't 
> > divulge the key to anyone, just use it on 'anything'. Anybody 
> > attempting to revoke on _that_ basis is asking for a lawsuit.
>
> To me it would be perfectly reasonable to revoke the key as soon as you 
> signed the first piece of malware.

It may seem reasonable to you, but is there -legal- basis to do so? 

'signing' only provides assurance of the identity of the signer. I did
sign it.  The key has not been compromised.  The software in question 
is tracable to the signer, but the signer never claimed it was 'error free',
what conract or statute did they breach by doing the signing?