Managing Code Signing Digital IDs for Open Source?

Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"

Why ask?

[hyfe]

Post-it notes all the way baby!

I know who you can trust.

[Anonymous Coward]

Micros~1.

They invented code signing after all....

Good use for AI

[null etc.]

Well, you should do what I'm doing. I'm in the same situation, and I've decided to program an Artificial Intelligence (AI) bot running on AIM (haha, get it?) to manage our keys.

I've almost finished programming it with some neat defense technology, to deal with hackers that try to break into it, or child pedos that think it's a seven year old boy and want to play.

Now, I'm going to give it some ability to review the source code for our missile-launching satellites and robotic defense schematics.

BTW you'll find this funny: it's already smart enough to complain about the name I gave it. Although personally, I think SkyNet is a great name.

You know what they say

[pHatidic]

Three people can keep a secret, if two of them are dead.