[cgl_discussion] Latest draft on security requirements
tabmowzo at us.ibm.com
Wed Nov 13 15:53:02 PST 2002
Stephen Hemminger wrote:
> Be careful about (REQ-SEC-3.3.1) Digital signature verification of
> binaries. There are several patents on signed code and some of the IP
> holders are known to be litigious. InterTrust (soon to be
> Sony/Philips), Microsoft, Intel and probably others have a big stake in
An interesting point. But I would like to pare back the 'requirement'
in a way to be "the necessity of verifying binaries on your system". A
digital signature is actually a solution to this. Note that I can't
really identify, off-hand, any other solutions. But we avoid the
hot-button phrase of 'digital signature' in the requirement.
I do not want to simply drop this whole subject because of the patent
issue. Are there other ways to solve the problem? Rephrasing, as I
did, opens up the thought process I hope.
Peter R. Badovinatz aka 'Wombat' -- IBM Linux Technology Center
preferred: tabmowzo at us.ibm.com / alternate: wombat at us.ibm.com
These are my opinions and absolutely not official opinions of IBM, Corp.
More information about the cgl_discussion