TODO: Ask security.txt people how is signing with SSH supposed to be handled or are alternatives to OpenPGP OK?