[Committee-d] A signing problem

Seth David Schoen schoen at loyalty.org
Wed Mar 29 03:33:16 EST 2006 

Suppose that there is a developer who creates applications for PDAs
and mobile phones.

The developer signs the source and binary packages that she publishes.
She packages the binary packages in a standard format that is supported
by a large number of mobile devices that all use the same
microprocessor.  Anyone who has a device that runs on that
microprocessor can -- if the device is programmed to allow it --
download and run Deborah's object package.

Some of those devices are manufactured or sold by Yoyodyne Corporation,
which does not want to give users the freedom to install the software of
their choice on its devices.  However, the managers at Yoyodyne (who
all have unrestricted PDAs made by rival companies for their own
personal use) discover that the developer's (Deborah's) application is
really useful and that the ability to install it on Yoyodyne PDAs would
enhance their value.  They hard-code Deborah's public key into the
next generation Yoyodyne PDA and tell it to allow users to install
anything signed by Deborah.

Empresas Inamigaveis SA is another manufacturer of compatible devices
that would potentially be capable of running Deborah's applications.
They are a little more paranoid than Yoyodyne and do not want to
delegate directly to her the ability to empower their customers to
run anything she wants.  (It is unclear whether they fear that
Deborah will become a spyware developer or whether they worry that
she will start generating signatures for third-party development
tools and interpreters that would be able to run arbitrary third-party
applications.)  EI approaches Deborah with a suggestion.  If she
will submit new versions of her object code packages to EI, they
will, after verifying certain properties of her application to their
satisfaction, generate and publish their own signature on the
particular versions that they think are safe and not incompatible
with their business model.  Then their users will be able to choose
to run those versions of Deborah's software on their EI PDAs.
Since Deborah wants to make her software available to the largest
possible number of people, she agrees and starts e-mailing her
new versions to EI for their verification.  She never makes any
changes to her software on their behalf, but she realizes that they
reserve the right to approve or disapprove each version on its
own.  After a while, she sets up an RSS feed to notify EI
automatically when a new version comes out.

After two years, Deborah's application is so popular with EI's
customers that EI decides to start charging customers separately
for the ability to run it.  (Users of EI PDAs don't have to pay
Deborah because she doesn't ask for a royalty for her application.
However, they do have to pay EI because EI won't give them the
software or keys necessary to run Deborah's application without
payment of a special "third-party software activation fee".)

Another company, Eigentumstechnik GmbH, also makes compatible
PDAs.  They download various versions of Deborah's program and
review and sign it to authorize their users to run it.  They
don't ask Deborah about this or even tell her that they're doing
it, but it proves to be so popular that EGTT starts to consider
Deborah's work a "killer application" and a mainstay of their
market -- it's a major reason that people buy EGTT devices.
Since Deborah hasn't been writing this program for a living,
they start to worry about what might happen if she decided to
stop developing it, or just about what would happen if she got
distracted by other interests.  In order to align Deborah's
incentives with their own, EGTT decides to make a voluntary
contribution of 1 Euro to Deborah for each copy of her work
that gets installed on an EGTT customer device.  EGTT does not
enter into a contractual relationship with Deborah; they just
send her a letter in which they say that they want to show their
appreciation for her work and hope to allow her to continue to
devote her efforts to developing new versions of her application.

Sure enough, EGTT's plan works: the amount of money they're
sending her allows Deborah to quit her day job and spend all
her time working on maintaining her application.  Of course,
it still runs perfectly on EI and Yoyodyne PDAs, and even on
"open" PDAs made by other companies (that is, PDAs that allow
their owners to install software of the owner's choice).
However, Yoyodyne's excellent marketing and EI and EGTT's
deep "discounts" (subsidies based on the assumption that most
customers will pay substantial fees after purchase for the
right to run particular third party software application)
start to drive the open PDA makers out of the market.  Within
a few years, only 8% of purchasers of PDAs that would be
technically capable of running Deborah's software have PDAs
that allow them to install modified versions not published
by Deborah (and possibly approved by the manufacturer).


The knowledge represented by Deborah's signing key is of value for
several different reasons:

* it represents Deborah's artistic control over the direction of her
project and is tied to her reputation as a good programmer;

* it helps people who get a copy of her application know that it
really came from her and hasn't been infected with a virus or
spyware;

* it is used by Yoyodyne as a means of control over its users.

The knowledge represented by EI's and EGTT's signing keys is of
value because these keys are used by them as means of control
over their respective users (and thereby, perhaps, as a means of
extracting revenue from the users for the right to perform an
action that would have had no marginal cost to anyone).

My questions are:  Where did Deborah go astray?  Has she still not
gone astray?  What if she actually got paid by a company pursuant
to contract to develop software directly with the goal that it be
used only on one platform and only in unmodified form, with at least
the latter condition enforced by technical means within the target
platform?  If Deborah incorporated GPLv3-covered code originally
written by someone else into her application, what would the
definition of "complete corresponding source code" encompass?  Is
there anything here that she would be prohibited by GPLv3 from
doing for some other reason than a potential failure to provide
the CCSC?

-- 
Seth David Schoen <schoen at loyalty.org> | This is a new focus for the security
     http://www.loyalty.org/~schoen/   | community. The actual user of the PC
     http://vitanuova.loyalty.org/     | [...] is the enemy.
                                       |          -- David Aucsmith, IDF 1999

More information about the Committee-D mailing list