incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rahul Akolkar" <rahul.akol...@gmail.com>
Subject Re: using public keys
Date Sat, 11 Nov 2006 22:26:40 GMT
On 11/9/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> On 11/9/06, Marshall Schor <msa@schor.com> wrote:
> > One of the tasks suggested in the welcome-to-apache was to set up a
> > public/private key pair for signing in (instead of using a password).
> >
> > Another task in the new-committers info page suggested creating a key
> > for your apache.org address now.  It referred to "Henk's Apache home
> > page" for info - and that page said "one key is better than two, or three".
> >
> > Can the key we set up for signing in (generated following the
> > instructions here:  http://www.apache.org/dev/user-ssh-windows.html) be
> > used as the one key - for example for signing releases?  or is it
> > "incompatible" in some way?
>
> typically they are incompatible
>
> (IIRC it's possible to use some extreme cypto foo to use the same
> actual key but i'm not sure there's anything to be gained by doing so)
>
> IMHO it is bad practice to use the same key: the code signing key
> needs to be kept very, very safe (preferrably offline). the key used
> to login to apache needs to be kept very safe but is in everyday use
> and realistically there is a limit to the level of security that's
> going to be possible in that case.
>
<snip/>

Indeed, most KEYS files -- for example [1],[2] -- tend to contain a
header that discourages using code signing keys for more "casual"
uses.

-Rahul

[1] http://www.apache.org/dist/tomcat/tomcat-6/KEYS
[2] http://www.apache.org/dist/httpd/KEYS


> - robert
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message