On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote: > On Thu, 25 Feb 2016, Dennis Gilmore wrote: > > No one has access to the private key. It lives on a server that has no > > services running that listen for connections. There is a service that > > runs > > on > > it that talks to the signing bridge. That brokers all requests. Users > > with > > access do not know the password to unlock the key. The signing server > > manages > > access. There is exactly two copies of the private key, one embeded in > > encrypted storage on the signing server and a backup of the encrypted > > storage > > on the backup server. It has been designed to allow the granting and > > revocation of access without the need for having a copy of the private > > key. > > > > https://fedorahosted.org/sigul/ is the software we use > > > > Dennis > > Thank you for providing this valuable information about the handling > of the private key that enables Fedora ISO signing. This information > should be shared and highlighted as it is helping to create trust in > the use of this key. > As a personal request, would you be so kind as to confirm the fingerprint > here (and maybe somewhere else), please. Thank you very much. Which fingerprint? There is a number of keys Dennis
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx