[OpenAFS] Providing signed packages (was Re: any experiences with OpenAFS client ...)

Gary Buhrmaster gary.buhrmaster@gmail.com
Thu, 23 Oct 2014 17:19:06 +0000 

On Thu, Oct 23, 2014 at 4:02 PM, Andrew Deason <adeason@sinenomine.net> wrote:
....
> For all of these situations where the Foundation would provide the
> ability to sign binaries, there are those legal considerations, then,
> but also other things. The Foundation needs to have a point of contact
> for any of these, and needs to go through the process of signing up for
> the relevant service and buying the relevant certificates/keys, etc. We
> also need to have a place or person(s) to store the secret keys; if
> they're not stored securely, they obviously do no good. It also needs to
> be clear how they will get used to sign the binary releases (who gets
> access to the keys for signing).

And this is one place things can get "interesting".  Let us imagine
someone is evil, and their intent is crack into a major corporation
that uses OpenAFS.  One might target obtaining that kext signing
certificate.  Because that key can be used to bypass all of the
protections that Mac OS X provides.  It is a "key to the kingdom".

Now, if that major corporation gets cracked via a kext that was
signed using the OpenAFS certificate, and all their secrets
get stolen, they *may* decided to go after those that allowed
it to happen.  That might be the OpenAFS foundation.  And
their board members, and whomever signed the kext.  And
perhaps more (remember, you are looking for the "deep
pockets" for collection, or at least show that you took the
crack seriously, and are going all out to recoup your losses).

If the OpenAFS foundation cannot show that they had strong
processes in place to protect that certificate and use it only
in an appropriate and approved manner since this is likely going
to be considered a "foreseeable event" their legal team would
possibly be at a disadvantage.

And that is why a foundation is likely to need (at least)
Professional Liability Insurance, Directors and Officers
Insurance, and Produce Liability Insurance (as I believe
Jeff mentioned).

And the costs for those are going to depend on what liabilities
one is accepting, and what processes one can show are used
to limit disclosure of any such certificate.  It might even require
the foundation to run their own signing infrastructure (as
many large organizations do).  All of which likely requires
legal and auditor review. Welcome to some of the true costs of
operating a non-profit in a litigious society.

Sure, that scenario might not happen.  One might even
argue that it is unlikely (and it probably is).  But then again,
would you want to be the board member individually sued
if it does, and the foundation does not provide adequate
D&O insurance?

And that does not even get into an alternative possibility
that some future (well meaning, good intentioned) change
breaks in Mac OS X, and someone decides to sue the
foundation for losses (in most jurisdictions, the cost to
file is low; some people do it just for sport.  Defending is
never as cheap as the filing).

Again, seek actual legal advice.  Nothing said on this
list is (necessarily) valid for your specific situation.
Especially nothing I am saying.  The board will need
to accept some risks for the foundation.  Signing
kexts may be one of them.  Or, perhaps, it is a risk
too far at this time.  Your lawyer can assist you in
navigating this process.  Choose well.

Gary