Thursday, September 26, 2013

OpenPGP key transition statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Date: October 16, 2013

For a number of reasons[0], I’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

The old key was:

pub 1024D/BB9EC476E934D755 1998-09-22
Key fingerprint = CD29 354E 5C51 E528 0E0E 19DF BB9E C476 E934 D755

And the new key is:

pub 4096R/BEB8C013FCC700F3 2013-10-16
Key fingerprint = 0AA7 230B 8C3C 2C2E 12E9 525D BEB8 C013 FCC7 00F3

To fetch the full key from a public key server, you can simply do:

gpg --keyserver hkps.pool.sks-keyservers.net --recv-key BEB8C013FCC700F3

or if you’re using GPGTools for Mac[1], choose “Retrieve from Keyserver…” from the Key menu in GPG Keychain Access and paste BEB8C013FCC700F3 into the “Key ID” field.

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs BEB8C013FCC700F3

or with GPGTools, choose “Show Info” from the Key menu in GPG Keychain Access when the key is selected, choose the “User IDs” tab, and review the Signatures field.

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint BEB8C013FCC700F3

or view the fingerprint in the Key tab of the Key Inspector in GPG Keychain Access.

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command:

**
NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use --lsign-key, and not send the signatures to the keyserver
**

gpg --sign-key BEB8C013FCC700F3

or choose “Sign…” from the Key menu in GPG Keychain Access while my new key is selected.

I'd like to receive your signatures on my key. Once you’ve signed it, please upload the signed key to a public key server:

gpg --keyserver hkps.pool.sks-keyservers.net --send-key <my email address> [sorry, I don’t post my email online to avoid spam]

or choose “send public key to Keyserver” in the Key menu of GPG Keychain Access when my key is selected after you’ve signed it.


Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations and other updates in a timely manner. You can do regular key updates by using parcimonie[2] to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.


I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-)

https://we.riseup.net/riseuplabs+paow/openpgp-best-practices

Please let me know if you have any questions, or problems, and sorry for any inconvenience.

Jim Syler

0. https://www.debian-administration.org/users/dkg/weblog/48
1. https://gpgtools.org/
2. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iEYEAREDAAYFAlJfF5AACgkQu57Eduk011W5GwCbBKey8PSFuuNf0IkfZ+J+cPFH
8iUAoOOXH6aPtqoxkwXpDipA88n0C9Ck
=7aSL
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJSXxfSAAoJEGETEFCb6rLz5aIP/inydzeTZSaTnHpx1v8489QY
yxVDxg6DdPZ33HqFsGR5GScV5oop3b/bUCEsTbK81CS0HnJshli7WUD+p2xC22a7
YkM9LBqsHua0xSb0YSTFrye/saqAOySXw3Ww48O73Xoc0/S+CHQLNrzaZ2F+T6bi
sW787OelaPjag1jKClEQIlEIuntQtNTPjiznfPt/z599uzE1oAo7BrpV7CAKdpJW
vMhAv7bQXWN8U45iV9nD2JgCha4x6aOZtcsvztgum5zhYdzKDxW0y585j02YPOaq
aaFU4vNM50zibo2svvVksguQ/lXAe9GAy4RCb1/RQkWDpQo/+vyJ1CnrBwVqnAr0
oyeNhow5NGdgBDhIp6nQc+vm0YrBxHlAbvgc0HCrXJatO94eSNQeCnGcu12ca+kT
P3hneNMr9Gc1jilo5GdM3znA86SVJchW3OB+4bOa8+0DAUQ+s35cn4CcwVX5Wqqv
LcviLrzzgDVfg3Ixrr9+Z3ZiPwBZo+CpQVfgwgLR/Hx+7aF6ITiZXnYi/85LibIH
TxpG0XQXJ+gVfDm6G0TeuNrNBwv6x9m7x2ed1HOLNej0nLDjVdo765/fLjnzB5sm
DoXjVuqWNciWAI73ZPL69E8vzsH8xJIkGHHD4/U1pJ8vNennJ5xjLU2ODby7gVZx
vEQNld5Td1InA6Lne+7A
=FOPC
-----END PGP SIGNATURE-----

No comments: