Hash: SHA1

There are generally two ways to do it: have a "project" key, or have 
each developer use their own key. The advantage of the first way is 
that each release is signed by the same key, which is clearly 
associated with the project. The disadvantage is control, security, 
and accountablility. The second way pretty much reverses the 
arguments: each key is controlled by one person, but there is no 
obvious mapping between that person and the project. Individual keys 
also have a history associated with them, and are usually already 
integrated into the Web of Trust.

Many projects use the individual method, including Apache, GnuPG, and 
OpenSSH. Some use the project method, such as sendmail and proftpd. 
Either is okay with me, but some questions need to be answered if 
using a project key:

Who will actually hold the key? Where will it be physically kept?

How many people will know the passphrase?

Who will be responsible for signing the files? Is there a backup person?

Will it be a signing-only key? What size? Should it expire?

How is verification of the files before signing accomplished?

I've got some ideas about most of those, especially the last two. This will 
not be that easy of a process, but on the other hand, new versions do not 
appear very frequently, and it is important to get this right the first time.

- --
Greg Sabino Mullane [EMAIL PROTECTED]
PGP Key: 0x14964AC8 200302041207

Comment: http://www.turnstep.com/pgp.html


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?


Reply via email to