Public Service Announcement: I am deprecating my old key 0xD3492A2A in favour of a newly generated key 0x1BF98D6D. I have uploaded a copy here. It is signed with my old key, too. FTR: It involved exporting the old secret key and the new public key to a temporary directory, change the expiry date of the old key, sign the new key and import the new signed key *sigh*. It’s only 11 years that
--allow-expired-keys was discussed.
The new fingerprint is:
$ gpg --fingerprint --list-key 1BF98D6D pub 3072D/1BF98D6D 2012-05-10 [expires: 2017-05-09] Key fingerprint = FF52 DA33 C025 B1E0 B910 92FC 1C34 19BF 1BF9 8D6D uid Tobias Mueller tobias.mueller2 mail.dcu.ie uid Tobias Mueller 4tmuelle informatik.uni-hamburg.de sub 3072g/3B76E8B3 2012-05-10 [expires: 2017-05-09] $
It’s 2012 already and apparently there ain’t such a thing as best practices for rolling over your OpenPGP key. I’m thinking about something that discusses whether or how to
- create a new key
- adding old UIDs to the new key
- sign the new key with the old one
- sign the old key with the new one
- probably sign the new key with other secret keys in your keyring
- preparing a small text file stating the rollover
- sign that so that you can upload it to the public
- inform people that have signed your old key that a new one is in place
I do think the steps mentioned make sense and should be implemented to easy the key transition. I started with something very simple; you can find the code here. You are welcome to discuss what’s needed in order to properly move from one key to another.