Posts Tagged ‘pki’

OpenPGP Key Rollover from D3492A2A to 1BF98D6D

Monday, September 24th, 2012

Public Service Announcement: I am deprecating my old key 0xD3492A2A in favour of a newly generated key 0x1BF98D6D. I have uploaded a copy here. It is signed with my old key, too. FTR: It involved exporting the old secret key and the new public key to a temporary directory, change the expiry date of the old key, sign the new key and import the new signed key *sigh*. It’s only 11 years that --allow-expired-keys was discussed.

The new fingerprint is:

$ gpg --fingerprint --list-key 1BF98D6D
pub   3072D/1BF98D6D 2012-05-10 [expires: 2017-05-09]
      Key fingerprint = FF52 DA33 C025 B1E0 B910  92FC 1C34 19BF 1BF9 8D6D
uid                  Tobias Mueller tobias.mueller2  mail.dcu.ie
uid                  Tobias Mueller 4tmuelle  informatik.uni-hamburg.de
sub   3072g/3B76E8B3 2012-05-10 [expires: 2017-05-09]
$

It’s 2012 already and apparently there ain’t such a thing as best practices for rolling over your OpenPGP key. I’m thinking about something that discusses whether or how to

  1. create a new key
  2. adding old UIDs to the new key
  3. sign the new key with the old one
  4. sign the old key with the new one
  5. probably sign the new key with other secret keys in your keyring
  6. preparing a small text file stating the rollover
  7. sign that so that you can upload it to the public
  8. inform people that have signed your old key that a new one is in place

I do think the steps mentioned make sense and should be implemented to easy the key transition. I started with something very simple; you can find the code here. You are welcome to discuss what’s needed in order to properly move from one key to another.

Key Rollover

Wednesday, June 30th, 2010

I have deprecated my OpenPGP Key 0xAA208D9E in favour of a new key 0x059B598E. So please use this new key which you can find, i.e. here.

muelli@bigbox ~ $ gpg --fingerprint --list-key 0x059B598E
pub   1024D/059B598E 2010-06-23 [expires: 2015-06-22]
      Key fingerprint = 610C B252 37B3 70E9 EB21  08E8 9CEE 1B6B 059B 598E
uid                  Tobias Mueller
sub   4096g/C71F0BE4 2010-06-23 [expires: 2015-06-22]

muelli@bigbox ~ $

If you’ve signed my old key, you might as well sign my new one (verifying that it’s correctly signed with the old key), assuming that my identity hasn’t changed. I recommend using caff to do so.