[tz] Digital signing (was Re: Proposed time zone package changes ...)
bet at rahul.net
Fri Oct 7 20:28:48 UTC 2011
For signing the data files, I'm fond of pgp, with gpg being the
implementation I trust best.
Sadly, standardization efforts seem to end up being used to add sponsorship
for certificate signing authorities, we all have seen how well that has
worked for SSL. Hope you can go with pgp; the current Certificate Authority
fiasco follows as expected from the observation that trust doesn't scale.
As for details, I don't know anything wrong with the default algorithms that
gpg uses. But ideally you shouldn't be using your own key directly, but
rather a new, project-specific key for the project's official contact email
address. You can start it off by signing it with your key, and other folks
can add signatures after verifying the fingerprint with you offline.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tz