RE: Code Signing Processes

["Tegels, Kent" <Kent.Tegels () hdrinc com>]

Not so much questions, more that I'm interested in hearing what others
see as best practices. Looking for discussion rather than answers.

Stuff I am interested in:
* Best practices for key management
* What to sign, what not to sign

Stuff I'm less interested in, considering the nature of HDR.

* Algorithms (we're stuck with Authenticode)
* Tools (MS provides most of what needed out of the box)
* Toolkits and APIs (while I like writing small tools to make my life
easier, MS has already done most of this for us.) 
* OS Services
* Infrastructure

It's not that I'm not interested in those facets at some level, but as I
wrote, I'm more interested in learning about the practices, protocols
and policies that others who use code signing are using.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jared W. Robinson
Sent: Friday, January 30, 2004 3:43 PM
To: Tegels, Kent
Cc: [EMAIL PROTECTED]
Subject: Re: [SC-L] Code Signing Processes

On Thu, Jan 29, 2004 at 09:47:15AM -0600, Tegels, Kent wrote:
> I'm interested in learning more from this community about others 
> practices, protocols, policies, thoughts and opinions about the Code 
> Signing Processes.

What are your questions about code signing? Here are some possible
subjects:
  - Algorithms
  - Tools (Commercial, Free and OSS) & their ease of use.
  - Toolkits and how good the APIs are.
  - Key management: protection, escrow, revocation, etc.
  - What to sign.
  - Operating System services that tie into code signing.
  - Infrastructure.

The more specific your questions, the more likely you are to get a
response, I would think.

- Jared