2012-06-16

GnuPG Transition to a New, Stronger Key

In reading the Debian Planet RSS feed, I find by example of
Vincent Bernat: GPG Key Transition Statement 2012
that I'm pretty late to the party in transitioning off the vulnerable SHA-1 digesting algorithm and transitioning from my old 1024 bit DSA key on to a new 4096 bit RSA key. I'm going to follow in suit.

You can find the following statement signed by the new key here and detach signed with the old key here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am transitioning GPG keys from an old 1024-bit DSA key to a new 4096-bit
RSA key.  The old key will continue to be valid for some time, but I prefer
all new correspondance to be encrypted in the new key, and will be making
all signatures going forward with the new key.

This transition document is signed with both keys to validate the
transition.

If you have signed my old key, I would appreciate signatures on my new key
as well, provided that your signing policy permits that without
re-authenticating me.

The old key, which I am transitional away from, is:

 pub   1024D/206C5AFD 1999-11-15 [expires: 2013-07-23]
   Key fingerprint = B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD

The new key, to which I am transitioning, is:

 pub   4096R/606A941F 2012-06-16 [expires: 2015-06-16]
   Key fingerprint = 9FCF 24D9 FFE7 4D25 ACCD  D51D 4A67 0D2C 606A 941F

To fetch the full new key from a public key server using GnuPG, run:

  gpg --keyserver keys.gnupg.net --recv-key 606A941F

If you have already validated my old key, you can then validate that the new
key is signed by my old key:

  gpg --check-sigs 606A941F

If you then want to sign my new key, a simple and safe way to do that is by
using caff (shipped in Debian as part of the "signing-party" package) as
follows:

  caff 606A941F         

Please contact me via e-mail at  if you have any
questions about this document or this transition.

  Chad Walstrom
  chewie@wookimus.net   
  2012-06-16
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJP3OvXAAoJEEpnDSxgapQfwrgP/3BVVhMh5IWKWk8uw70W3zlv
rSJTUTVy4h35oIY4HvTlBbO69ItrRf1yzDpwPr289ReR23vSdrwtrfrwXbcFLqcq
bYC+vphDy/BIdqYmoXFwBtJ7xlP8GLELlHLsuseObfid+gMa0zdimCv6aH0FGzkH
bY59cStgFt25PhbogMtesUOJonLnrcDeU5OI2Y/6niNNoraBcTogEeUC354V5+Jq
PiOJo6VY1PLEIfOntHSULYY8iRU2T3JDDcZSo7Ai0apc2eqHOH6VygBRojZdSD/u
qfQdZqzDvuzmGpuQvTBAiD5IyN/QEsSDhz0ptmv/3bT/lWePuwv8lytyr7XJdC34
GB7t8PHIJK4heevrmhBUWQ12oF2PEpzZEdbAU/UQJtPYHJAw1idMTZs0KVVzimL3
FVn5SfM0ebmgzhF8ULT26g5hKte7DYw3kVizQSYrQ0DvK2SAmdVysyK+d7STar3d
Vukw4LdxjWijsmFO2WzfWVgwz+nG90ppOvAHib353MZQTa4qqVzRoyh+qlI5Uvqt
KDWxpfgUY2m0RhyeF5hWU1DU4482tLThm89E6lQJ55s/LYCrzUp6ElN6jpwLAaGK
HiEAqTL/UbcZoWxRxkpPOulwLDDfpzEnU59wLKN8zsDEmS8+xUn2h042qttPQrOh
JcXpemsYyFt7nNNxkQpv
=hJQm
-----END PGP SIGNATURE-----

No comments:

Post a Comment