Oct. 7, 2011
11:44 p.m.
On Oct 7, 2011, at 16:28, Bennett Todd wrote:
As for details, I don't know anything wrong with the default algorithms that gpg uses. But ideally you shouldn't be using your own key directly, but rather a new, project-specific key for the project's official contact email address. You can start it off by signing it with your key, and other folks can add signatures after verifying the fingerprint with you offline.
A good place to start may be what US-CERT is using: http://www.us-cert.gov/pgp/soc.asc http://www.us-cert.gov/contact/ They update their key every year, but that's probably excessive here.