On 11/9/06, Marshall Schor <[EMAIL PROTECTED]> wrote:
One of the tasks suggested in the welcome-to-apache was to set up a
public/private key pair for signing in (instead of using a password).
Another task in the new-committers info page suggested creating a key
for your apache.org address now. It referred to "Henk's Apache home
page" for info - and that page said "one key is better than two, or three".
Can the key we set up for signing in (generated following the
instructions here: http://www.apache.org/dev/user-ssh-windows.html) be
used as the one key - for example for signing releases? or is it
"incompatible" in some way?
typically they are incompatible
(IIRC it's possible to use some extreme cypto foo to use the same
actual key but i'm not sure there's anything to be gained by doing so)
IMHO it is bad practice to use the same key: the code signing key
needs to be kept very, very safe (preferrably offline). the key used
to login to apache needs to be kept very safe but is in everyday use
and realistically there is a limit to the level of security that's
going to be possible in that case.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
