[ciphershed] Re: Signed System Driver
- From: "Alain Forget" <aforget@xxxxxxx>
- To: <ciphershed@xxxxxxxxxxxxx>
- Date: Sat, 14 Jun 2014 11:44:28 -0400
Sounds reasonable to me, although I know nothing about how to set that up, or
any other legal stuff. However, signing certs aside, we'll have to deliver the
software with the appropriate EULA saying that we bare no responsibility for
any consequences of using the software and blah blah (which maybe TrueCrypt
already did?), so that if we do mess up and release broken/malicious software
by accident, we (as members of the organisation) shouldn't suffer legal
consequences. However, our reputation would of course suffer...so let's please
try not to let that happen. :-)
Alain
-----Original Message-----
From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed-bounce@xxxxxxxxxxxxx]
On Behalf Of Stephen R Guglielmo
Sent: Saturday, June 14, 2014 11:38
To: ciphershed@xxxxxxxxxxxxx
Subject: [ciphershed] Re: Signed System Driver
On Sat, Jun 14, 2014 at 11:10 AM, Alain Forget <aforget@xxxxxxx> wrote:
> As far as I know, any certificate authority (such as those listed here:
> https://en.wikipedia.org/wiki/Certificate_authority#Providers) can provide us
> with a certificate with which we can sign our drivers (and the Windows
> installation package).
>
> When I looked these up to obtain one for my research group last year,
> according to sslshopper.com, I found that DigiCert was the best rated, and
> their pricing is middle-of-the-road:
>
> 3 Year $178.33 USD / year
> 2 Year $198.50 USD / year
> 1 Year $223.00 USD / year
>
> We will also need the "full legal name" (and full mailing address & phone
> number) of our organisation. This name will be what shows up on the UAC and
> installation dialog boxes.
>
> Note that this certificate should be able to digitally sign any software for
> Windows, Java, Apple, browser extensions, and so on, which may or may not be
> useful to us later on.
>
> So this leaves some open questions:
>
> 1) How are we going to pay for this? (Yet another use for possible donations,
> if/when we open that up)
> 2) How long do we want the cert?
> 3) What will our "full legal name" be? I imagine this could be a member of
> our group who has full intentions of sticking around for the length of the
> cert, and is comfortable signing our drivers and executables (which I would
> guess legally means such person is vouching for the integrity and
> non-maliciousness of the code). However, if we want to make it our
> "organisation", (CipherShed Inc.? :-P) I fear we don't have a full mailing
> address and phone number, so...I don't know how we would handle that.
> Presumably someone could contact the certificate authority and ask how this
> is done for distributed open-source projects, such as this.
>
> Despite these challenges, if we want our software to be trusted and
> reputable, I think obtaining a certificate with which to sign our drivers and
> executables/binaries is a must.
>
> Alain
I agree that we'll definitely have to do this at some point. Those
prices are (somewhat) reasonable, I suppose.
This is where I feel as though we should setup some sort of LLC or
Non-Profit.I would be more than happy to cover the costs of a
certificate, but I don't want any personal liability in the event that
something goes wrong down the line. I "donate" to the organization,
and the organization purchases the cert (not me). No one else should
have to bear that responsibility of personal liability either.
Other related posts:
