Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Programming Technology

Managing Code Signing Digital IDs for Open Source? 103

Posted by Cliff from the project-security dept.
Saqib Ali asks: "What are the best practices for managing Code Signing Digital IDs for Open Source projects, where the developers are dispersed throughout the globe? For our project there is NO central office, where we can secure the private key for the Code Signing Digital ID. Who should have the possession of the private key? Multiple people, or just the project manager? What Key Escrow (recovery) techniques can be used, in case the private key holder is not available? Who should be allowed to digitally sign the build? Currently one person handles the signing responsibility, but I think that is surely a single point of failure. Any thoughts/ideas?"
This discussion has been archived. No new comments can be posted.

Managing Code Signing Digital IDs for Open Source? More

Managing Code Signing Digital IDs for Open Source?

Comments Filter:

  • smart cards? (Score:3, Interesting)

    by John Harrison ( 223649 ) <johnharrison@@@gmail...com> on Tuesday May 03, 2005 @04:43PM (#12424747) Homepage Journal
    put the signing certs on pin protected smart cards. Then ship the cards to the people you want to have be able to sign. Ship the pin to unlock the card by a different method.

  • Start a "trust tree" (Score:1, Interesting)

    by Anonymous Coward on Tuesday May 03, 2005 @04:44PM (#12424750)
    The signer of the build can be the "root" and just grow this tree to include all contributors.

  • Interesting (Score:4, Interesting)

    by Daath ( 225404 ) <lp AT coder DOT dk> on Tuesday May 03, 2005 @04:45PM (#12424764) Homepage Journal
    An organisation such as the EFF or the like, should have such a key escrow service ;)

  • You'd prefer multiple? (Score:3, Interesting)

    by Arakonfap ( 454732 ) on Tuesday May 03, 2005 @04:48PM (#12424797)
    You'd prefer multiple points of failure? :-)

    In all seriousness, a single point of failure means you only have to worry about one person's key being comprimised. On the other hand, multiple developers available to sign something means multiple points that could have the key stolen.

    A backup is a good idea - escrow of some sort, but having multiple devs sign sounds like a bad idea IMHO.

  • Re:Sharing the public key (Score:5, Interesting)

    by cpeikert ( 9457 ) <cpeikert AT alum DOT mit DOT edu> on Tuesday May 03, 2005 @04:55PM (#12424884) Homepage
    Secret sharing is a good start, but it doesn't get you all the way there.

    Suppose it's time to sign a new build: then some parties reconstruct the secret key, and *poof* all of a sudden all the parties knows the secret key, and you're back to a single point (or even multiple points) of (security) failure.

    What is needed is a threshold signature scheme (in which the key is never explicitly reconstructed). But I don't know of any free or even cheap implementations (they tend to complicated protocols).

  • personal reputation (Score:3, Interesting)

    by MathFox ( 686808 ) on Tuesday May 03, 2005 @05:17PM (#12425114)
    Why doesn't the package builder sign the package with his personal key? This has the additional advantage that you can trace problems to individuals and/or broken keys. The core group of developers should cross-sign all of their public keys; they can then sign the keys of the people that are allowed to make "official" distributions. From then on it is just a matter of key management: distribute the "trusted" public keys and revoke keys when people leave the project.

  • Just use personal keys (Score:3, Interesting)

    by Sloppy ( 14984 ) * on Tuesday May 03, 2005 @06:31PM (#12425961) Homepage Journal
    Why can't people just sign with their personal keys? And if another developer approves the same build, then it gets a second signature, and so on. The more signatures it has by people you trust, the more you trust it.

    No need for shared secrets, no need for a "master" key of any kind.

    Who should be allowed to digitally sign the build?
    Anyone in the world. Their reputation is what's on the line, not the project's reputation.

Slashdot Top Deals

There are two ways to write error-free programs; only the third one works.

Close