Fedora Security Response Team Update
Mark J Cox
mjc at redhat.com
Thu Apr 5 12:11:55 UTC 2007
> GPG key. I'm pondering how to handle this. There will be groups that want
> to send us encrypted mail. How can we do this in a secure manner (trust is
> a big issue here).
So role keys on open source projects are generally a bad idea, and indeed
both the Apache Software Foundation and OpenSSL security teams do not use
a role key for secure communications. In the most part it's just CERT and
the odd researcher that want secure communications and signing of
statements.
So what we do in those projects is just tell CERT (and publish on the
site) the contact details and GPG keys of a few of the security team
members. A member on receiving something encrypted has the
responsibility to triage and pass it on. Since it doesn't happen often
(once a month or less) it's not a big deal.
Mark
More information about the Fedora-security-list
mailing list