-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA512 Date: 2015-01-21 For a number of reasons[0], i've recently set up a new OpenPGP key, and will be transitioning away from my old one. The old key will continue to be valid for 3 months, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition. the old key was: pub 1024D/0x24A1BECC2B693EBF 1999-12-03 [expires: 2015-04-20] Key fingerprint = 062B A4C3 73D5 51F3 312A F7F0 24A1 BECC 2B69 3EBF And the new key is: pub 4096R/0x28DAA11406E1AFFD 2015-01-20 [expires: 2018-01-19] Key fingerprint = 360F 4E41 2F35 7D65 D862 B79A 28DA A114 06E1 AFFD To fetch the full key from a public key server, you can simply do: gpg --keyserver keys.riseup.net --recv-key '360F 4E41 2F35 7D65 D862 B79A 28DA A114 06E1 AFFD' If you already know my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs '062B A4C3 73D5 51F3 312A F7F0 24A1 BECC 2B69 3EBF' If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above: gpg --fingerprint '062B A4C3 73D5 51F3 312A F7F0 24A1 BECC 2B69 3EBF' If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command: ** NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use --lsign-key, and not send the signatures to the keyserver ** gpg --sign-key '360F 4E41 2F35 7D65 D862 B79A 28DA A114 06E1 AFFD' I'd like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system): gpg --export '360F 4E41 2F35 7D65 D862 B79A 28DA A114 06E1 AFFD' | gpg --encrypt -r '360F 4E41 2F35 7D65 D862 B79A 28DA A114 06E1 AFFD' --armor | mail -s 'OpenPGP Signatures' joerg@joergdietrich.com Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie[1] to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring. I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-) https://we.riseup.net/debian/openpgp-best-practices Please let me know if you have any questions, or problems, and sorry for the inconvenience. Joerg Dietrich 0. https://www.debian-administration.org/users/dkg/weblog/48 1. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUwA4NJKG+zCtpPr8RAgPMAJwLgP1Eck6vE8gpQrfTm5zzlrt3NQCcDqC6 PMN4vwDvpz77OOJgtjTSCQOJAhUDBQFUwA4NmHb+oqg9vW4BCliPD/0aO4CHWBao 1XwQhA0AX+4cn5+6TlAHJbOXRcXgjPmIA9ZmvIeSXZABndLL5Qc8zSaz7ts6esYj VSHvci/QG5EhrshsWjBQdob2WB4TE1VEWcNM0iEvaKxGfEZQsNen8ENTIEmug26f 94aeVssmSh3pga5edir/GIlfRH462d/zt61LWmRFdZQ76qnrvCAxbnSbNkB0A2ks b1IU0THL+c5vqRfCDInoTzP46ggl4+NwQ2BpCJQnOORCWR9wjQ0peh2zzxVP6AXx m+DQmtRn1xp5iotKiGYdxCnhsl8ET+yCoFi0gftvwbweaKxt2/y04Y0yGl6W89Ym hcqEJMfJlD/AzeDx0k+veWi/l05SEeMKN+gxlaCOuQzR8sahXddmcTEABGn719Wj K3rWVWzlf5fxgvPQwdY4PsC9AcD8yMOnXUXZ0uIBp/VlDLf7NlcDxZ4FcrZhpu1o BgrMzmSiWWXjsjwXQoeXEtNlZ6wGc8BeAhPa8HJ8edHyjElomxJTER48DA9wZhaM 2eRPEa4JfDcg1fCawuGJAmDiz0DYVOlV7j1vbVaHH8yq47i89KAnggRvtVBbQQ7r tY6UEl7FlqPDkXE1zXgETtujl/gphAOFQsfpu7LYAc8jy0iMjFOtIIeNIRPtcM6r 6jt85tXBDXPRez3gjFTWKG9VyJ7X1fEWrQ== =GMSX -----END PGP SIGNATURE-----