Slashdot Mirror


Managing Code Signing Digital IDs for Open Source?

Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"

2 of 103 comments (clear)

  1. Interesting by Daath · · Score: 3, Interesting

    An organisation such as the EFF or the like, should have such a key escrow service ;)

    --
    Any technology distinguishable from magic, is insufficiently advanced.
  2. Re:Sharing the public key by cpeikert · · Score: 4, Interesting

    Secret sharing is a good start, but it doesn't get you all the way there.

    Suppose it's time to sign a new build: then some parties reconstruct the secret key, and *poof* all of a sudden all the parties knows the secret key, and you're back to a single point (or even multiple points) of (security) failure.

    What is needed is a threshold signature scheme (in which the key is never explicitly reconstructed). But I don't know of any free or even cheap implementations (they tend to complicated protocols).