On Sat, 6 May 2006, Martin Schaffstall wrote:
I just had an idea: Would it be useful/feasible to sign all executabley in Solaris with a cryptographic key and only allow execution of signed binaries then? Would this help to improve system security?
Hi Martin - It may be useful, and in fact we thought of it in Solaris 10. At least all of ON is cryptographicly signed for Solaris 10. Except for plugins to the Solaris Cryptographic Framework, none of the signatures are currently checked at run time. All patches for ON are additionally signed for Solaris 10. This gives us the ability to turn on signature checking, if desired, in a Solaris 10 update release. We are still signing all binaries in Nevada, but still only checking the plugins for the Solaris cryptographic framework. Of course, the verification of the signatures is a bit of a chicken or the egg problem :-) You'll probably get more feedback on this topic on [EMAIL PROTECTED] Valerie -- Sponsor me in the Breathe Easy 2 Rock Ride - 65 miles! Money raised goes to the American Lung Association: http://www.mrsnv.com/evt/e01/part.jsp?id=805&acct=0273018478&rid=0 I'll take care of the Sun matching gift for you! Easy! _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
