[cgl_discussion] Latest draft on security requirements

Stephen Hemminger shemminger at osdl.org
Wed Nov 13 16:10:05 PST 2002

On Wed, 2002-11-13 at 15:53, Peter Badovinatz wrote:
> Stephen Hemminger wrote:
> > 
> > Be careful about (REQ-SEC-3.3.1) Digital signature verification of
> > binaries.  There are several patents on signed code and some of the IP
> > holders are known to be litigious.  InterTrust (soon to be
> > Sony/Philips), Microsoft, Intel and probably others have a big stake in
> > this.
> An interesting point.  But I would like to pare back the 'requirement'
> in a way to be "the necessity of verifying binaries on your system".  A
> digital signature is actually a solution to this.  Note that I can't
> really identify, off-hand, any other solutions.  But we avoid the
> hot-button phrase of 'digital signature' in the requirement.
> I do not want to simply drop this whole subject because of the patent
> issue.  Are there other ways to solve the problem?  Rephrasing, as I
> did, opens up the thought process I hope.
> Peter

Your idea sounds good. Specify it in terms of required function.
Implementation is where infringement happens, it just may not be
possible to easily walk through this IP mine field. IBM and Intel have
leverage in this area if they want to bring it to a solution.

More information about the cgl_discussion mailing list