On 6/6/12 7:23 PM, Robert Bonomi wrote: > "Julian H. Stacey" <j...@berklix.com> wrote: >> >>> I do wonder about that. What incentive does the possesor of a signing key >>> have to keep it secret? >> >> Contract penalty clause maybe ? Lawyers ? > > Contract with _whom_? The party you pay money to -- Verisign -- simply > certifies that the party buying the certificate/signing-key -is- who they > claim to be. > > It is *entirely* up to the owner of that certificate/signing-key -who- they > allow to use it. > > If someone/anyone attempts to 'revoke' that certificate/key _other_ than > at the request of the owner of that certificate/key, *THAT* party is subject > to legal sanctions. Among other things, 'false persona', 'tortuous inter- > ference in a business relationship', just to name a few. > > There is, however, an 'interesting' legal question -- *if* a party were to > let 'anybody' use their certificate/key, what is the certificat/key owner's > legal liability if someone uses that key to sign malware? > >
Standard contract writeup stipulates that only a limited set of 'authorized' company representatives be given access to the Signing Key. If the key should be divulged, then the key may be revoked by the issuer. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
