Re: Fedora Security Response Team Update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



GPG key.  I'm pondering how to handle this.  There will be groups that want
to send us encrypted mail.  How can we do this in a secure manner (trust is
a big issue here).

So role keys on open source projects are generally a bad idea, and indeed both the Apache Software Foundation and OpenSSL security teams do not use a role key for secure communications. In the most part it's just CERT and the odd researcher that want secure communications and signing of statements.

So what we do in those projects is just tell CERT (and publish on the site) the contact details and GPG keys of a few of the security team members. A member on receiving something encrypted has the responsibility to triage and pass it on. Since it doesn't happen often (once a month or less) it's not a big deal.

Mark

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux