using public keys

[Marshall Schor <ms...@schor.com>]

One of the tasks suggested in the welcome-to-apache was to set up a 
public/private key pair for signing in (instead of using a password).

Another task in the new-committers info page suggested creating a key 
for your apache.org address now.  It referred to "Henk's Apache home 
page" for info - and that page said "one key is better than two, or three".

Can the key we set up for signing in (generated following the 
instructions here:  http://www.apache.org/dev/user-ssh-windows.html) be 
used as the one key - for example for signing releases?  or is it 
"incompatible" in some way?

-Marshall


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: using public keys

[Rahul Akolkar <ra...@gmail.com>]

On 11/9/06, robert burrell donkin <ro...@gmail.com> wrote:
> On 11/9/06, Marshall Schor <ms...@schor.com> wrote:
> > One of the tasks suggested in the welcome-to-apache was to set up a
> > public/private key pair for signing in (instead of using a password).
> >
> > Another task in the new-committers info page suggested creating a key
> > for your apache.org address now.  It referred to "Henk's Apache home
> > page" for info - and that page said "one key is better than two, or three".
> >
> > Can the key we set up for signing in (generated following the
> > instructions here:  http://www.apache.org/dev/user-ssh-windows.html) be
> > used as the one key - for example for signing releases?  or is it
> > "incompatible" in some way?
>
> typically they are incompatible
>
> (IIRC it's possible to use some extreme cypto foo to use the same
> actual key but i'm not sure there's anything to be gained by doing so)
>
> IMHO it is bad practice to use the same key: the code signing key
> needs to be kept very, very safe (preferrably offline). the key used
> to login to apache needs to be kept very safe but is in everyday use
> and realistically there is a limit to the level of security that's
> going to be possible in that case.
>
<snip/>

Indeed, most KEYS files -- for example [1],[2] -- tend to contain a
header that discourages using code signing keys for more "casual"
uses.

-Rahul

[1] http://www.apache.org/dist/tomcat/tomcat-6/KEYS
[2] http://www.apache.org/dist/httpd/KEYS


> - robert
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: using public keys

[robert burrell donkin <ro...@gmail.com>]

On 11/9/06, Marshall Schor <ms...@schor.com> wrote:
> One of the tasks suggested in the welcome-to-apache was to set up a
> public/private key pair for signing in (instead of using a password).
>
> Another task in the new-committers info page suggested creating a key
> for your apache.org address now.  It referred to "Henk's Apache home
> page" for info - and that page said "one key is better than two, or three".
>
> Can the key we set up for signing in (generated following the
> instructions here:  http://www.apache.org/dev/user-ssh-windows.html) be
> used as the one key - for example for signing releases?  or is it
> "incompatible" in some way?

typically they are incompatible

(IIRC it's possible to use some extreme cypto foo to use the same
actual key but i'm not sure there's anything to be gained by doing so)

IMHO it is bad practice to use the same key: the code signing key
needs to be kept very, very safe (preferrably offline). the key used
to login to apache needs to be kept very safe but is in everyday use
and realistically there is a limit to the level of security that's
going to be possible in that case.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org