incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <robertburrelldon...@gmail.com>
Subject Re: using public keys
Date Thu, 09 Nov 2006 21:52:06 GMT
On 11/9/06, Marshall Schor <msa@schor.com> wrote:
> One of the tasks suggested in the welcome-to-apache was to set up a
> public/private key pair for signing in (instead of using a password).
>
> Another task in the new-committers info page suggested creating a key
> for your apache.org address now.  It referred to "Henk's Apache home
> page" for info - and that page said "one key is better than two, or three".
>
> Can the key we set up for signing in (generated following the
> instructions here:  http://www.apache.org/dev/user-ssh-windows.html) be
> used as the one key - for example for signing releases?  or is it
> "incompatible" in some way?

typically they are incompatible

(IIRC it's possible to use some extreme cypto foo to use the same
actual key but i'm not sure there's anything to be gained by doing so)

IMHO it is bad practice to use the same key: the code signing key
needs to be kept very, very safe (preferrably offline). the key used
to login to apache needs to be kept very safe but is in everyday use
and realistically there is a limit to the level of security that's
going to be possible in that case.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message