On 21.02.2011 18:08, Troy Howard wrote:
Do we allow our SNK to be public and then run the risks of allowing anyone to create a DLL using our signature? or do we find a way to manage our private key privately?
We should publish the key because assembly signing was never designed to provide the same level of authenticity like AuthentiCode or similar infrastructures. Apache's OpenPGP signature should remain authoritative (see below).
Perhaps we should not attempt to release a SNA?
If the DLLs did not have a SNA, some users would be forced to rebuild, rendering the OpenPGP signature of the official release meaningless. This would be really unfortunate. Robert
