A few weeks ago, I was fortunate enough to talk at the 7th Privacy Enhancing Techniques Conference (PET-CON 2017.2) in Hamburg, Germany. It’s a teeny tiny academic event with a dozen or so experts in the field of privacy.
The talks were quite technical, involving things like machine learning over logs or secure multi-party computation. I talked about how I think that the best technical solution does not necessarily enable the people to be more private, simply because the people might not be able to make use of the tool properly. A concern that’s generally shared in the academic community. Yet, the methodology to create and assess the effectiveness of a design is not very elaborated. I guess we need to invest more brain power into creating models, metrics, and tools for enabling people to do safer computing.
So I’m happy to have gone and to have had the opportunity of discussing the issues I’m seeing. Likewise, I find it very interesting to see where the people are currently headed towards.
Public Service Announcement: I am deprecating my old key 0xD3492A2A in favour of a newly generated key 0x1BF98D6D. I have uploaded a copy here. It is signed with my old key, too. FTR: It involved exporting the old secret key and the new public key to a temporary directory, change the expiry date of the old key, sign the new key and import the new signed key *sigh*. It’s only 11 years that
--allow-expired-keys was discussed.
The new fingerprint is:
$ gpg --fingerprint --list-key 1BF98D6D
pub 3072D/1BF98D6D 2012-05-10 [expires: 2017-05-09]
Key fingerprint = FF52 DA33 C025 B1E0 B910 92FC 1C34 19BF 1BF9 8D6D
uid Tobias Mueller tobias.mueller2 mail.dcu.ie
uid Tobias Mueller 4tmuelle informatik.uni-hamburg.de
sub 3072g/3B76E8B3 2012-05-10 [expires: 2017-05-09]
It’s 2012 already and apparently there ain’t such a thing as best practices for rolling over your OpenPGP key. I’m thinking about something that discusses whether or how to
- create a new key
- adding old UIDs to the new key
- sign the new key with the old one
- sign the old key with the new one
- probably sign the new key with other secret keys in your keyring
- preparing a small text file stating the rollover
- sign that so that you can upload it to the public
- inform people that have signed your old key that a new one is in place
I do think the steps mentioned make sense and should be implemented to easy the key transition. I started with something very simple; you can find the code here. You are welcome to discuss what’s needed in order to properly move from one key to another.
I have deprecated my OpenPGP Key 0xAA208D9E in favour of a new key 0x059B598E. So please use this new key which you can find, i.e. here.
muelli@bigbox ~ $ gpg --fingerprint --list-key 0x059B598E
pub 1024D/059B598E 2010-06-23 [expires: 2015-06-22]
Key fingerprint = 610C B252 37B3 70E9 EB21 08E8 9CEE 1B6B 059B 598E
uid Tobias Mueller
sub 4096g/C71F0BE4 2010-06-23 [expires: 2015-06-22]
muelli@bigbox ~ $
If you’ve signed my old key, you might as well sign my new one (verifying that it’s correctly signed with the old key), assuming that my identity hasn’t changed. I recommend using caff to do so.