I’ve had my old OpenPGP key for around 13 years. That’s a long time, and it’s a tough decision to just throw it away and replace it and the signatures I’ve gained during that time. But it’s no longer doing the job required of it — at 1024-bit it’s possible that with a feasible amount of computing power you could break the encryption it provides. So it’s time to create a shiny new 4096-bit RSA key to replace it with.
I’ve followed all the suggested best practice documents that I could find and created my new key. I’ve published it to some public key servers, including
pool.sks-keyservers.net, and I’ve written the now common transitional statement (admittedly, “written” is used loosely here — I mostly borrowed the text and layout from other people).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA512 From: Tim Bishop <email@example.com> Date: 2013-08-10 After 13 years my old 1024-bit DSA key no longer meets the standards suggested by current best practice, so I've generated a new 4096-bit RSA key to replace it. My old key was: pub 1024D/0x7DCED6595AE7D984 2000-10-07 Key fingerprint = 1453 086E 9376 1A50 ECF6 AE05 7DCE D659 5AE7 D984 uid Tim Bishop <firstname.lastname@example.org> uid Tim Bishop <T.D.Bishop@kent.ac.uk> uid Tim Bishop <tdb@FreeBSD.org> uid Tim Bishop <email@example.com> My new key is: pub 4096R/0x6C226B37FDF38D55 2013-08-07 [expires: 2015-08-07] Key fingerprint = 4BD9 5F90 8A50 40E8 D26C D681 6C22 6B37 FDF3 8D55 uid Tim Bishop <firstname.lastname@example.org> uid Tim Bishop <T.D.Bishop@kent.ac.uk> uid Tim Bishop <tdb@FreeBSD.org> uid Tim Bishop <email@example.com> My old key will continue to be valid, but I would prefer all future communication to be done using my new key. In addition, any other keys being distributed on public key servers that use any of the above UIDs should be considered invalid. This document has been signed using both the old and the new keys so that you can certify the transition. In addition, the new key has been signed with the old one to confirm its validity. If you previously signed my old key I'd appreciate it if you could sign the new one if you're happy with the trust that signature gives. If you'd like any further verification or have any questions about this transition please contact me directly. Tim. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIFiS0ACgkQfc7WWVrn2YRjaQCfVwy0ptDK7iB2zuIAYDGo15ED HlsAniBSw/OIisdEILxXINyipuSBpFLLiQIcBAEBCgAGBQJSBYktAAoJEGwiazf9 841V+BoQAJvnFbGbrPIql4E4BKlG3Bz2MBK2HTgicy29K96fBXZkA6mSAzuGB/Ts 6FW1/LTMQzKeHZj8mbOJQ04iaGe7gljQykrTfr2mwn8Bv7jqlGU3AMWheeRReVvD C63hd5ogt0tYZ3Zg9VhKLV3RXhSGPSBA+6wfqihX+wVV/E4FA0OyDOKquZksj+Gy BVajE/nnIluatQB/0xNDq4KdiwdfJUcKlVSxI4mCj6sMOjhYaK1JyPjglLNwcL3p OZmx08xxakMvH0XawtpRNNDQkRhzdjev75GUCUrOVoXYaM4W8533qdU+LagninIU X0j4XEqMg6l+KYHB257WDhFXJOM8Ng8YbDVsZV0n/JoRXmsFlHeEikzv1b62jviJ IxFQGYqWMs+wt9LdAXkSBNEuR6np9h5Gg+Q7Iu9btneoX9g0oHlh1G2HsbqFl4pA rQ3p9i16APCAEQOqQ9/KjSm7eUSJltqyogTaVpf0gdL7Y7FGsemzdmqILruIDaxq p5pw3AvXastHkZ6KxTdOFi/Ekh3dC9a9cXm9YuNv4xDxnvwvi0hNWbtsQHtmUXRF THNpCEJE+g8ZpohGNH3g5fVoIGIJLhCmqR2oHV0MzuuaZo9VUVCgoltrpPd1Z2q3 N2VIM0+SVgGyF8QvEurYoA7o9TSNXfKoYEpgye5SFUyI16pgC1dd =Plxn -----END PGP SIGNATURE-----
The statement above can also be downloaded here, or you can just copy and paste it in to your PGP client of choice. I use GnuPG.
The following output shows the statement being verified by both my old and new keys. You’ll likely see something slightly different than me because you won’t trust my new key yet. If you trust my old key it should validate correctly and confirm that the statement is genuine and that I have a new key.
% gpg --keyserver pool.sks-keyservers.net --recv-key 0x6C226B37FDF38D55 gpg: requesting key FDF38D55 from hkp server pool.sks-keyservers.net gpg: key FDF38D55: public key "Tim Bishop <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) % wget -qO - https://www.bishnet.net/tim/gpg-transition-2013.asc | gpg --verify gpg: Signature made Sat Aug 10 01:28:29 2013 BST using DSA key ID 5AE7D984 gpg: Good signature from "Tim Bishop <email@example.com>" gpg: aka "Tim Bishop <T.D.Bishop@kent.ac.uk>" gpg: aka "Tim Bishop <tdb@FreeBSD.org>" gpg: aka "Tim Bishop <firstname.lastname@example.org>" gpg: Signature made Sat Aug 10 01:28:29 2013 BST using RSA key ID FDF38D55 gpg: Good signature from "Tim Bishop <email@example.com>" gpg: aka "Tim Bishop <tdb@FreeBSD.org>" gpg: aka "Tim Bishop <firstname.lastname@example.org>" gpg: aka "Tim Bishop <T.D.Bishop@kent.ac.uk>"
If you’ve signed my old key, and you’re happy that this process genuinely confirms that this is my new key, I’d be pleased if you could sign it too. If you have any questions or want any further confirmation of its validity, please contact me directly.