From owner-freebsd-questions@FreeBSD.ORG Thu Jun 7 08:38:14 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF066106564A for ; Thu, 7 Jun 2012 08:38:14 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5B2E08FC17 for ; Thu, 7 Jun 2012 08:38:14 +0000 (UTC) Received: by eeke49 with SMTP id e49so130476eek.13 for ; Thu, 07 Jun 2012 01:38:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=PRG7VRqRi9WzAyllmT2uNPwGhuDo5q7tJC7YJieRUes=; b=RpQEi4l45h/iROOhoX8jsDmLuyzjkAsJtWjfV7ffRKPXf5Acn3pVzX1H0z50Rw7jK+ gGCXu5p9FD4K+1MAvCpYdYLfACUBsy39jZPmjPF8CHDItWDB2C0kGOApalxC84G5m8cl dcjo0pqKxGAny34Ar2rW8BHEClqYXWCPljjRoxeRXolWw0Lwziugj2aDDYcvZi6xWM8T 5RmtFkfY6DM5CXUuvj+ktWaQNPDs9birOx5UAWcnpzjFhlxmHNlvzQRDmW/3e11ClDcy U/cl9jScZz9ibJuJAIyVmw1FsqdxF9UreaQgq8P6EhAHTDH8UoYYRuzlpG3tWkN5/Uu7 /Lnw== Received: by 10.14.96.70 with SMTP id q46mr643088eef.231.1339058293237; Thu, 07 Jun 2012 01:38:13 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id c13sm8246503eeb.7.2012.06.07.01.38.11 (version=SSLv3 cipher=OTHER); Thu, 07 Jun 2012 01:38:12 -0700 (PDT) Message-ID: <4FD06872.1080709@my.gd> Date: Thu, 07 Jun 2012 10:38:10 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Daniel Feenberg References: <201206061630.q56GUJj7093472@fire.js.berklix.net> <4FCFA41A.4010506@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQk3YbJ7NXu4m3AVBxnSK0V9hnRmKRynXLr0xu0yGqjYLDvMiniv+AanUibA1MJKO0qmaQFv Cc: freebsd-questions@freebsd.org Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2012 08:38:15 -0000 On 6/6/12 9:43 PM, Daniel Feenberg wrote: > > > On Wed, 6 Jun 2012, Damien Fleuriot wrote: > >> >> >> On 6/6/12 6:45 PM, Daniel Feenberg wrote: >>> >>> >>> On Wed, 6 Jun 2012, Julian H. Stacey wrote: >>> >>>>> I do wonder about that. What incentive does the possesor of a signing >>>>> key >>>>> have to keep it secret? >>>> >>>> Contract penalty clause maybe ? Lawyers ? >>> >>> A limited-liability company with no assets is judgement-proof. >>> >>>> >>>> Otherwise one of us would purchase a key for $99, & then publish >>>> the key so we could all forever more compile & boot our own kernels. >>>> But that would presumably break the trap Microsoft & Verisign seek >>>> to impose. >>>> >>> >>> Could it really be that simple? As for hardware vendors putting revoked >>> keys in the ROM - are they really THAT cooperative? Seems like they >>> would drag their feet on ROM updates if they had to add a lot of stuff >>> that won't help them, so that doesn't seem like a great enforcement >>> tool. >>> >>> dan feenberg >> >> >> Oh god... >> >> Please realize that once the key is divulged, it gets revoked at the >> BIOS' next update. > > But my point is that MS doesn't issue the updates, they have to ask the > BIOS vendors to do so, and then the MB vendors have to take the update, > and then the users have to install the update. The incentive at each > level is generally very small. It does create some confusion, but is > hardly an enforcement mechanism. It would disable older versions of > FreeBSD on newer hardware, but not much else. > > A previous poster has pointed out that MS can't revoke a certificate > belonging to RH, but I suppose the could ask the BIOS vendors to treat > it as revoked. I don't know what the response would be. > > Daniel Feenberg > That is indeed the case. This is akin to, for example, Sony's race against Homebrewers on the good ol' PSP. When hackers found a hardware flaw that enabled them to install custom firmware, Sony had to release new versions of the consoles with fixed hardware. The old ones were still exploitable but the new ones weren't.