On 7 Jun 2012, at 01:54, Robert Bonomi <[email protected]> wrote:
>> From [email protected] Wed Jun 6 18:13:09 2012 >> Date: Thu, 07 Jun 2012 00:09:54 +0100 >> From: Bruce Cran <[email protected]> >> To: Robert Bonomi <[email protected]> >> Cc: [email protected] >> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware >> of? >> >> On 06/06/2012 20:27, Robert Bonomi wrote: >>> Suppose I put up a web app that takes an executable as input, signs it >>> with my key, and returns the signed filt to the submitter. I don't >>> divulge the key to anyone, just use it on 'anything'. Anybody >>> attempting to revoke on _that_ basis is asking for a lawsuit. >> >> To me it would be perfectly reasonable to revoke the key as soon as you >> signed the first piece of malware. > > It may seem reasonable to you, but is there -legal- basis to do so? > > 'signing' only provides assurance of the identity of the signer. I did > sign it. The key has not been compromised. The software in question > is tracable to the signer, but the signer never claimed it was 'error free', > what conract or statute did they breach by doing the signing? > Signing anything and everything defeats the purpose the key and this whole charade are implemented for. Under the contract's undoubtedly carefully penned clauses, this would allow for a key revocation. Make no mistake, they'll go over that contract for several weeks, giving themselves as much manoeuvring room as possible._______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
