GPG key. I'm pondering how to handle this. There will be groups that want to send us encrypted mail. How can we do this in a secure manner (trust is a big issue here).
So role keys on open source projects are generally a bad idea, and indeed both the Apache Software Foundation and OpenSSL security teams do not use a role key for secure communications. In the most part it's just CERT and the odd researcher that want secure communications and signing of statements.
So what we do in those projects is just tell CERT (and publish on the site) the contact details and GPG keys of a few of the security team members. A member on receiving something encrypted has the responsibility to triage and pass it on. Since it doesn't happen often (once a month or less) it's not a big deal.
Mark -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list