Digital signing (was Re: Proposed time zone package changes ...)
For signing the data files, I'm fond of pgp, with gpg being the implementation I trust best. Sadly, standardization efforts seem to end up being used to add sponsorship for certificate signing authorities, we all have seen how well that has worked for SSL. Hope you can go with pgp; the current Certificate Authority fiasco follows as expected from the observation that trust doesn't scale. As for details, I don't know anything wrong with the default algorithms that gpg uses. But ideally you shouldn't be using your own key directly, but rather a new, project-specific key for the project's official contact email address. You can start it off by signing it with your key, and other folks can add signatures after verifying the fingerprint with you offline.
On Oct 7, 2011, at 16:28, Bennett Todd wrote:
As for details, I don't know anything wrong with the default algorithms that gpg uses. But ideally you shouldn't be using your own key directly, but rather a new, project-specific key for the project's official contact email address. You can start it off by signing it with your key, and other folks can add signatures after verifying the fingerprint with you offline.
A good place to start may be what US-CERT is using: http://www.us-cert.gov/pgp/soc.asc http://www.us-cert.gov/contact/ They update their key every year, but that's probably excessive here.
Just wanted to mention that I use git on Windows, and it works fine for my purposes. I use a combination of the bash command line it provides within MINGW32, and a GutGui front end.
participants (3)
-
Bennett Todd -
David Magda -
David Patte