[OpenAFS] Providing signed packages (was Re: any experiences with OpenAFS client ...)

D Brashear shadow@gmail.com
Thu, 23 Oct 2014 14:18:21 -0400


--089e01227a2adff5a905061b161c
Content-Type: text/plain; charset=UTF-8

On Thu, Oct 23, 2014 at 1:19 PM, Gary Buhrmaster <gary.buhrmaster@gmail.com>
wrote:

> On Thu, Oct 23, 2014 at 4:02 PM, Andrew Deason <adeason@sinenomine.net>
> wrote:
> ....
> > For all of these situations where the Foundation would provide the
> > ability to sign binaries, there are those legal considerations, then,
> > but also other things. The Foundation needs to have a point of contact
> > for any of these, and needs to go through the process of signing up for
> > the relevant service and buying the relevant certificates/keys, etc. We
> > also need to have a place or person(s) to store the secret keys; if
> > they're not stored securely, they obviously do no good. It also needs to
> > be clear how they will get used to sign the binary releases (who gets
> > access to the keys for signing).
>
> And this is one place things can get "interesting".  Let us imagine
> someone is evil, and their intent is crack into a major corporation
> that uses OpenAFS.  One might target obtaining that kext signing
> certificate.  Because that key can be used to bypass all of the
> protections that Mac OS X provides.  It is a "key to the kingdom".
>
>
Yes. That's why the kext certificate process is more involved, IMO anyway.

[]


> And that is why a foundation is likely to need (at least)
> Professional Liability Insurance, Directors and Officers
> Insurance, and Produce Liability Insurance (as I believe
> Jeff mentioned).
>
> And the costs for those are going to depend on what liabilities
> one is accepting, and what processes one can show are used
> to limit disclosure of any such certificate.  It might even require
> the foundation to run their own signing infrastructure (as
> many large organizations do).  All of which likely requires
> legal and auditor review. Welcome to some of the true costs of
> operating a non-profit in a litigious society.
>
>

> Sure, that scenario might not happen.  One might even
> argue that it is unlikely (and it probably is).  But then again,
> would you want to be the board member individually sued
> if it does, and the foundation does not provide adequate
> D&O insurance?
>

Or the developer, if the builder and/or signer are not otherwise
contractually tied to the foundation's insurance.

Again, seek actual legal advice.


Yup. And that's the summary I'd give about the understanding
Stephen was looking for after Jeff's earlier comments. Jeff
explained what things looked like, legally, for him. It's not FUD. It's
what Jeff is willing to do based on Jeff's lawyer. What someone
else is willing to do should, though, be entered into by that person
only with an understanding of what their liability is, or with the
explicit knowledge that they plan to ignore it and hope for the best.


-- 
D

--089e01227a2adff5a905061b161c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Thu, Oct 23, 2014 at 1:19 PM, Gary Buhrmaster <span dir=3D"ltr">&lt;=
<a href=3D"mailto:gary.buhrmaster@gmail.com" target=3D"_blank">gary.buhrmas=
ter@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Th=
u, Oct 23, 2014 at 4:02 PM, Andrew Deason &lt;<a href=3D"mailto:adeason@sin=
enomine.net">adeason@sinenomine.net</a>&gt; wrote:<br>
....<br>
<span class=3D"">&gt; For all of these situations where the Foundation woul=
d provide the<br>
&gt; ability to sign binaries, there are those legal considerations, then,<=
br>
&gt; but also other things. The Foundation needs to have a point of contact=
<br>
&gt; for any of these, and needs to go through the process of signing up fo=
r<br>
&gt; the relevant service and buying the relevant certificates/keys, etc. W=
e<br>
&gt; also need to have a place or person(s) to store the secret keys; if<br=
>
&gt; they&#39;re not stored securely, they obviously do no good. It also ne=
eds to<br>
&gt; be clear how they will get used to sign the binary releases (who gets<=
br>
&gt; access to the keys for signing).<br>
<br>
</span>And this is one place things can get &quot;interesting&quot;.=C2=A0 =
Let us imagine<br>
someone is evil, and their intent is crack into a major corporation<br>
that uses OpenAFS.=C2=A0 One might target obtaining that kext signing<br>
certificate.=C2=A0 Because that key can be used to bypass all of the<br>
protections that Mac OS X provides.=C2=A0 It is a &quot;key to the kingdom&=
quot;.<br>
<br></blockquote><div><br></div><div>Yes. That&#39;s why the kext certifica=
te process is more involved, IMO anyway.<br><br>[]<br></div><div>=C2=A0</di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">And that is why a foundation is likely to =
need (at least)<br>
Professional Liability Insurance, Directors and Officers<br>
Insurance, and Produce Liability Insurance (as I believe<br>
Jeff mentioned).<br>
<br>
And the costs for those are going to depend on what liabilities<br>
one is accepting, and what processes one can show are used<br>
to limit disclosure of any such certificate.=C2=A0 It might even require<br=
>
the foundation to run their own signing infrastructure (as<br>
many large organizations do).=C2=A0 All of which likely requires<br>
legal and auditor review. Welcome to some of the true costs of<br>
operating a non-profit in a litigious society.<br>
<br></blockquote><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sure, that scenario might not happen.=C2=A0 One might even<br>
argue that it is unlikely (and it probably is).=C2=A0 But then again,<br>
would you want to be the board member individually sued<br>
if it does, and the foundation does not provide adequate<br>
D&amp;O insurance?<br></blockquote><div><br></div><div>Or the developer, if=
 the builder and/or signer are not otherwise<br></div><div>contractually ti=
ed to the foundation&#39;s insurance. <br><br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
Again, seek actual legal advice.=C2=A0 </blockquote><div><br></div><div>Yup=
. And that&#39;s the summary I&#39;d give about the understanding <br></div=
><div>Stephen was looking for after Jeff&#39;s earlier comments. Jeff<br></=
div><div>explained what things looked like, legally, for him. It&#39;s not =
FUD. It&#39;s<br></div><div>what Jeff is willing to do based on Jeff&#39;s =
lawyer. What someone<br>else is willing to do should, though, be entered in=
to by that person<br></div><div>only with an understanding of what their li=
ability is, or with the <br></div><div>explicit knowledge that they plan to=
 ignore it and hope for the best.<br><br></div></div><br>-- <br><div dir=3D=
"ltr">D</div>
</div></div>

--089e01227a2adff5a905061b161c--