-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA512
Date: 2014-03-20
For a number of reasons[0], i've recently set up a new OpenPGP key,
and will be transitioning away from my old one.
This is for people who has signed my old key and feel ok to sign my new key also.
Many of them are on this list so that’s why I send it out here but even if you don’t
want to sign my new key it is some gpg info, especially in the end.
The old key will continue to be valid for some time, but i prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust. This message is
signed by both keys to certify the transition.
the old keys were:
pub 1024D/0xDB4202BB12F506C8 1998-04-28 [expires: 2019-12-31]
Key fingerprint = 3DC2 CEBA 1590 B41A 3780 955A DB42 02BB 12F5 06C8
sub 2048g/0xB3D334D5AC0E538A 1998-04-28
And the new key is:
pub 4096R/0x24550E8842DDDDDD 2014-03-06 [expires: 2019-06-23]
Key fingerprint = EB81 3135 1636 576A DA83 826B 2455 0E88 42DD DDDD
To fetch the full key from a public key server, you can simply do:
gpg --keyserver hkps.pool.sks-keyservers.net --recv-key 0x42DDDDDD
If you already know my old key, you can now verify that the new key is
signed by the old one:
gpg --check-sigs '42DDDDDD'
If you don't already know my old key, or you just want to be double extra
paranoid, you can check the fingerprint against the one above:
gpg --fingerprint '3DC2CEBA1590B41A3780955ADB4202BB12F506C8'
If you are satisfied that you've got the right key, and the UIDs match what
you expect, I'd appreciate it if you would sign my key. You can do that by
issuing the following command:
**
NOTE: if you have previously signed my key but did a local-only
signature (lsign), you will not want to issue the following, instead
you will want to use --lsign-key, and not send the signatures to the
keyserver
**
gpg --sign-key 'EB8131351636576ADA83826B24550E8842DDDDDD'
I'd like to receive your signatures on my key. You can either send them
directly back to the keyserver
gpg --keyserver hkps.pool.sks-keyservers.net --sendkey 0x42DDDDDD
or as an e-mail with the new signatures (if you have a functional MTA on your system):
gpg --export 'EB8131351636576ADA83826B24550E8842DDDDDD' | gpg --encrypt -r 'EB8131351636576ADA83826B24550E8842DDDDDD' --armor | mail -s 'OpenPGP Signatures' peters-gpgsig [ at ] techwiz [ dot ] ca
Additionally, I highly recommend that you implement a mechanism to keep your key
material up-to-date so that you obtain the latest revocations, and other updates
in a timely manner. You can do regular key updates by using parcimonie[1] to
refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
for each key. The purpose is to make it hard for an attacker to correlate the
key updates with your keyring.
Or if you don't worry about someone knowing what keys you are interested in
you can just do a cronjob like
0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
I also highly recommend checking out the excellent Riseup GPG best
practices doc, from which I stole most of the text for this transition
message ;-)
https://we.riseup.net/debian/openpgp-best-practices
Please let me know if you have any questions, or problems, and sorry
for the inconvenience.
Peter Sjöberg
0. https://www.debian-administration.org/users/dkg/weblog/48
1. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iD8DBQFTK1Fi20ICuxL1BsgRAi/NAKCzRKO6bbfQhP43PjDpTYKVyQtk2QCeOx8C
JmeVfNqjllBygltWZz0S+byJAhUDBQFTK1FiJFUOiELd3d0BClOBEACm26YYtlZ1
gz/IzRJRb/ARswEslAup7cewMhKONBAj9NHf6/BI5btXBjIvFE9LUy0CVgHFNfii
yfhtU9fwUA0YvK5kr4m5SzkU1kpwsRIkCU+7x+4bMiS9bjY0aea0Y8SQFIkPAp+Q
OVL+Vgivfa/FNGU+HjAaLaFcxBza1At/glJpegmfqDiUH6Ehs16kKZsiV4BIc6Rh
xeacw+OkQa/ANbyRw6I8CcRBn4ihEi1q5nL/WTYt+A06TFiLowZXJTUeiN+NGTpY
dm3NimXHiphbXZfawokvnhIgGKQ8VaFEfjDL/WZbFHRnXgz0MaUXs1opNNE95GkO
XP4ydyHoR7bDaeuqbvNyqY24tA+URmI0qa1Dg0sVCqM+BXzKVEc7rFPyuwDgUMc6
8xj8xsjHmvyjhvkWGjFAo68lP3LBu8mHtC+PczUmSs4b2AbrRPEzPWDk8c/e7SoL
yQygB4CsEWi8M3xY608ppx2eiket9wt9cKttzPhH8Wfd6QTxBs95YRwMYUYqEMMI
w9JpS54KqFfk6ZUYR74Kkk616FHxn9KcfePIIgCNnPaGdA+B9pjduCVC4hcgL75Q
X/ydmwGeCrEPIkyDs4O3j7bP6TgwyPV/E5vCVV0HQcsXQiM76iZxLliyikQs1mkT
04KkpSnsaWMRLCs20PnwIFRuHTlW7bsYTQ==
=Im4B
-----END PGP SIGNATURE-----