Return-Path: X-Original-To: apmail-infrastructure-dev-archive@minotaur.apache.org Delivered-To: apmail-infrastructure-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DDC04FD34 for ; Fri, 12 Apr 2013 15:52:47 +0000 (UTC) Received: (qmail 70709 invoked by uid 500); 12 Apr 2013 15:52:47 -0000 Delivered-To: apmail-infrastructure-dev-archive@apache.org Received: (qmail 70475 invoked by uid 500); 12 Apr 2013 15:52:47 -0000 Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: infrastructure-dev@apache.org Delivered-To: mailing list infrastructure-dev@apache.org Received: (qmail 70467 invoked by uid 99); 12 Apr 2013 15:52:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Apr 2013 15:52:47 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [173.201.193.103] (HELO p3plsmtpa08-02.prod.phx3.secureserver.net) (173.201.193.103) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Apr 2013 15:52:39 +0000 Received: from hub ([76.252.112.72]) by p3plsmtpa08-02.prod.phx3.secureserver.net with id P3sG1l00M1Zmh9Y013sHxr; Fri, 12 Apr 2013 08:52:17 -0700 Date: Fri, 12 Apr 2013 10:52:15 -0500 From: "William A. Rowe Jr." To: infrastructure-dev@apache.org Cc: cmodien@gmail.com Subject: Re: Official code signing certificate Message-ID: <20130412105215.27fc9910@hub> In-Reply-To: <1502D874-5DFD-4903-B02F-CFABD564C8B7@gmail.com> References: <51498137.5090505@gmail.com> <20130320203757.GG3812@lp-shahaf.local> <514ABC79.6080601@gmail.com> <20130321120932.GA3496@lp-shahaf.local> <514AFDE8.2000000@gmail.com> <20130321130639.GA3607@lp-shahaf.local> <20130321221814.GB16395@tarsus.local2> <20130322165713.GJ3216@lp-shahaf.local> <1502D874-5DFD-4903-B02F-CFABD564C8B7@gmail.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.13; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Mon, 25 Mar 2013 16:48:41 -0700 Clint Modien wrote: > I'm not sure if it's economical or not=E2=80=A6 but if the approach is to > provide private keys and certs to each project it might be wise for > them to also be unique for each project. They won't be signed. Authentcode key signing is structured one-per-org. > That way if a cert/key pair is compromised in one project it doesn't > impact other projects. Couldn't agree more, a moronic design if you asked me. The Symantec code signing service, however, ties a distinct key to each signed object in an auditable method. As Rob is fond of pointing out, there are literally hundreds of moving parts in their release (and similarly in the httpd release as well - each loadable module must be signed). I've asked and been assured that the Symantec service would have a batch/group automation-friendly submission process that could make this relatively painless. When I scoped the first ASF-hosted service, I envisioned then editing each .rc resource entity in the binaries to associate them to the pgp key which had submitted them for signing, before then authenticode-signing the objects. But this still suffers=20 from exactly the threat you identified above.