WebApp Sec mailing list archives
Managing Code Signing Digital IDs for Open Source?
From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 13 May 2005 08:25:32 -0400
What are the best practices for managing Code Signing Digital IDs + Private Keys for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? I am fimiliar with shared secret concept. What I am looking for is specific examples of technological solutions that we can buy, to provide key escrow. Key escrow services provided by Verisign are too expensive for us. Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas? Thanks, -- In Peace, Saqib Ali http://validate.sf.net
Current thread:
- Managing Code Signing Digital IDs for Open Source? Saqib Ali (May 15)