Jeffrey Walton wrote:
Hi All,

I was reading on CyanogenMod (a custom ROM project for Android) and
"The story behind the mysterious CyanogenMod update"
(http://lwn.net/Articles/448134/).

Interestingly, it seems some privaye keys were circulated to comply
with GPL V3 with some nasty side effects (could anything else be
expected?). Some interesting points were brought up, including how to
comply with GPL V3.

Is anyone aware of papers on integrity/signature schemes or protocols
tailored for GPL V3? Or does this reduce to (1) allow the
hardware/firmware to load additional [trusted] public keys; or (2)
provide the private key for the hardware?

Jeff
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography


The high-level picture would be as follows:

[A] The GPL V3 philosophy excludes software intended to run on proprietary hardware.

[B] The custom ROM software version distributed under GPL V3 has to distribute a private key such that it is not tied to proprietary hardware. Consequently, accepting the software license terms includes the implicit limitation of an explicitly-breached signature key.

[C] However, the GPL philosophy allows closed or proprietary modifications *within*an*organization*, so the IT department could use its own private key applicable to the internally distributed hardware. It may well be unworkable in practice because all software components might need the IT department blessing/signature, but who demonstrated that code signing was workable at all at the institutional level?

[D] The GPL V3 compliance would forbid any transfer of such gplv3-turned-proprietary ROM-based equipment outside of the organization (one would put back the original ROM version as part of IT equipment sanitization before disposal).

I guess multiple keys or other schemes can only be attempts to obfuscate the fact that one breaches either the software integrity mechanism or the relevant GPL rule: you may not re-distribute without allowing modifications.

Overall, [C] is perhaps the essential vision of trusted computing where some hardware comes bound to a central authority responsible for software integrity. I never understood why the central authority had to be the hardware vendor who also sells to influential governments.

Regards,

--
- Thierry Moreau

_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to