Managing Code Signing Digital IDs for Open Source? 103
Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"
smart cards? (Score:3, Interesting)
Start a "trust tree" (Score:1, Interesting)
Interesting (Score:4, Interesting)
You'd prefer multiple? (Score:3, Interesting)
In all seriousness, a single point of failure means you only have to worry about one person's key being comprimised. On the other hand, multiple developers available to sign something means multiple points that could have the key stolen.
A backup is a good idea - escrow of some sort, but having multiple devs sign sounds like a bad idea IMHO.
Re:Sharing the public key (Score:5, Interesting)
Suppose it's time to sign a new build: then some parties reconstruct the secret key, and *poof* all of a sudden all the parties knows the secret key, and you're back to a single point (or even multiple points) of (security) failure.
What is needed is a threshold signature scheme (in which the key is never explicitly reconstructed). But I don't know of any free or even cheap implementations (they tend to complicated protocols).
personal reputation (Score:3, Interesting)
Just use personal keys (Score:3, Interesting)
No need for shared secrets, no need for a "master" key of any kind.
Anyone in the world. Their reputation is what's on the line, not the project's reputation.