OpenPGP Key Rollover from D3492A2A to 1BF98D6D

Public Service Announcement: I am deprecating my old key 0xD3492A2A in favour of a newly generated key 0x1BF98D6D. I have uploaded a copy here. It is signed with my old key, too. FTR: It involved exporting the old secret key and the new public key to a temporary directory, change the expiry date of the old key, sign the new key and import the new signed key *sigh*. It’s only 11 years that --allow-expired-keys was discussed.

The new fingerprint is:

$ gpg --fingerprint --list-key 1BF98D6D
pub   3072D/1BF98D6D 2012-05-10 [expires: 2017-05-09]
      Key fingerprint = FF52 DA33 C025 B1E0 B910  92FC 1C34 19BF 1BF9 8D6D
uid                  Tobias Mueller tobias.mueller2  mail.dcu.ie
uid                  Tobias Mueller 4tmuelle  informatik.uni-hamburg.de
sub   3072g/3B76E8B3 2012-05-10 [expires: 2017-05-09]
$

It’s 2012 already and apparently there ain’t such a thing as best practices for rolling over your OpenPGP key. I’m thinking about something that discusses whether or how to

  1. create a new key
  2. adding old UIDs to the new key
  3. sign the new key with the old one
  4. sign the old key with the new one
  5. probably sign the new key with other secret keys in your keyring
  6. preparing a small text file stating the rollover
  7. sign that so that you can upload it to the public
  8. inform people that have signed your old key that a new one is in place

I do think the steps mentioned make sense and should be implemented to easy the key transition. I started with something very simple; you can find the code here. You are welcome to discuss what’s needed in order to properly move from one key to another.

Tags: , , , , ,

Comments are closed.