The use Microsoft cross-signed certificates and Apple signing certificates come with contractual obligations specifying the circumstances under which signatures may be used. A signature is not simply a method of proving that code has not been altered. A signature is an indication to a customer that all of the terms of use which might include design requirements, QA requirements, certification requirements, licensing requirements, etc. are satisfied by the signed binary.
Using a Microsoft or Apple signing certificate is not the same as signing an object with your own self-generated cert. The certificates are trusted by the kernel and do not require subsequent online validation. Jeffrey Altman On 10/21/2014 1:37 AM, Mattias Pantzare wrote: > Why would signing of binaries imply anything more that just generate the > binaries without signing? The only thing that signing anything adds it a > way to prove that nothing has been altered. > > You are just as open for lawsuits without signing, the only difference > is that you can trace the right source more easily with the signing. > > > On Tue, Oct 21, 2014 at 1:16 AM, Jeffrey Altman > <jalt...@secure-endpoints.com <mailto:jalt...@secure-endpoints.com>> wrote: > > On 10/20/2014 3:40 PM, Benjamin Kaduk wrote: > > > > Some individual or organization will need to step forward to do that > > signing; I do not believe that there is an "OpenAFS" organization > > currently able or prepared to do so. (Perhaps the Foundation could, > but I > > am not sure.) > > The correct entity to do so for OSX and Microsoft Windows and any other > platform for which OpenAFS.org will distribute signed binaries is the > OpenAFS Foundation. Signing binaries implies an acceptance of liability > if those binaries were to cause harm. The OpenAFS Foundation should not > sign binaries until it has appropriate insurance coverage in place to > protect the release team and the developers that > contribute to the release. > > Your File System Inc. currently signs the Windows installers because > those packages are predominantly a product of YFSI developers and it has > the appropriate General and Errors and Omissions insurance policies in > place to cover any lawsuits that might be initiated. > > Jeffrey Altman > > >
smime.p7s
Description: S/MIME Cryptographic Signature
