[tz] Digital signing (was Re: Proposed time zone package changes ...)
dmagda at ee.ryerson.ca
Fri Oct 7 23:44:25 UTC 2011
On Oct 7, 2011, at 16:28, Bennett Todd wrote:
> As for details, I don't know anything wrong with the default algorithms that
> gpg uses. But ideally you shouldn't be using your own key directly, but
> rather a new, project-specific key for the project's official contact email
> address. You can start it off by signing it with your key, and other folks
> can add signatures after verifying the fingerprint with you offline.
A good place to start may be what US-CERT is using:
They update their key every year, but that's probably excessive here.
More information about the tz