[cgl_discussion] Latest draft on security requirements

Peter Badovinatz tabmowzo at us.ibm.com
Wed Nov 13 15:53:02 PST 2002


Stephen Hemminger wrote:
> 
> Be careful about (REQ-SEC-3.3.1) Digital signature verification of
> binaries.  There are several patents on signed code and some of the IP
> holders are known to be litigious.  InterTrust (soon to be
> Sony/Philips), Microsoft, Intel and probably others have a big stake in
> this.

An interesting point.  But I would like to pare back the 'requirement'
in a way to be "the necessity of verifying binaries on your system".  A
digital signature is actually a solution to this.  Note that I can't
really identify, off-hand, any other solutions.  But we avoid the
hot-button phrase of 'digital signature' in the requirement.

I do not want to simply drop this whole subject because of the patent
issue.  Are there other ways to solve the problem?  Rephrasing, as I
did, opens up the thought process I hope.

Peter
--
Peter R. Badovinatz aka 'Wombat' -- IBM Linux Technology Center
preferred: tabmowzo at us.ibm.com / alternate: wombat at us.ibm.com
These are my opinions and absolutely not official opinions of IBM, Corp.



More information about the cgl_discussion mailing list