Slashdot Mirror

← Back to Stories (view on slashdot.org)

Managing Code Signing Digital IDs for Open Source?

Posted by Cliff on from the project-security dept.

Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"

4 of 103 comments (clear)

  1. Why ask? by hyfe · · Score: 4, Funny

    Post-it notes all the way baby!

    --
    "" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
  2. I know who you can trust. by Anonymous Coward · · Score: 4, Funny

    Micros~1.

    They invented code signing after all....

  3. Good use for AI by null+etc. · · Score: 2, Funny
    Well, you should do what I'm doing. I'm in the same situation, and I've decided to program an Artificial Intelligence (AI) bot running on AIM (haha, get it?) to manage our keys.

    I've almost finished programming it with some neat defense technology, to deal with hackers that try to break into it, or child pedos that think it's a seven year old boy and want to play.

    Now, I'm going to give it some ability to review the source code for our missile-launching satellites and robotic defense schematics.

    BTW you'll find this funny: it's already smart enough to complain about the name I gave it. Although personally, I think SkyNet is a great name.

  4. You know what they say by pHatidic · · Score: 3, Funny

    Three people can keep a secret, if two of them are dead.