Jeffrey,
I'd like to learn more about this. However since you sell a proprietary
fork of OpenAFS, it's difficult to discount your possible incentive to
spread FUD regarding OpenAFS.
Therefore can you provide URIs with specific information to educate me (and
possibly others) regarding these contractual obligations related to binary
signing?
Thanks in advance!
Cheers,
Stephen
On Tue, 21 Oct 2014, Jeffrey Altman wrote:
The use Microsoft cross-signed certificates and Apple signing
certificates come with contractual obligations specifying the
circumstances under which signatures may be used. A signature is not
simply a method of proving that code has not been altered. A signature
is an indication to a customer that all of the terms of use which might
include design requirements, QA requirements, certification
requirements, licensing requirements, etc. are satisfied by the signed
binary.
Using a Microsoft or Apple signing certificate is not the same as
signing an object with your own self-generated cert. The certificates
are trusted by the kernel and do not require subsequent online validation.
Jeffrey Altman
On 10/21/2014 1:37 AM, Mattias Pantzare wrote:
Why would signing of binaries imply anything more that just generate the
binaries without signing? The only thing that signing anything adds it a
way to prove that nothing has been altered.
You are just as open for lawsuits without signing, the only difference
is that you can trace the right source more easily with the signing.
On Tue, Oct 21, 2014 at 1:16 AM, Jeffrey Altman
<jalt...@secure-endpoints.com <mailto:jalt...@secure-endpoints.com>> wrote:
On 10/20/2014 3:40 PM, Benjamin Kaduk wrote:
>
> Some individual or organization will need to step forward to do that
> signing; I do not believe that there is an "OpenAFS" organization
> currently able or prepared to do so. (Perhaps the Foundation could, but I
> am not sure.)
The correct entity to do so for OSX and Microsoft Windows and any other
platform for which OpenAFS.org will distribute signed binaries is the
OpenAFS Foundation. Signing binaries implies an acceptance of liability
if those binaries were to cause harm. The OpenAFS Foundation should not
sign binaries until it has appropriate insurance coverage in place to
protect the release team and the developers that
contribute to the release.
Your File System Inc. currently signs the Windows installers because
those packages are predominantly a product of YFSI developers and it has
the appropriate General and Errors and Omissions insurance policies in
place to cover any lawsuits that might be initiated.
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
