New OpenPGP Key

New OpenPGP Key

I’ve had my old OpenPGP key for around 13 years. That’s a long time, and it’s a tough decision to just throw it away and replace it and the signatures I’ve gained during that time. But it’s no longer doing the job required of it — at 1024-bit it’s possible that with a feasible amount of computing power you could break the encryption it provides. So it’s time to create a shiny new 4096-bit RSA key to replace it with.

I’ve followed all the suggested best practice documents that I could find and created my new key. I’ve published it to some public key servers, including, and I’ve written the now common transitional statement (admittedly, “written” is used loosely here — I mostly borrowed the text and layout from other people).

Hash: SHA1,SHA512

From: Tim Bishop <>
Date: 2013-08-10

After 13 years my old 1024-bit DSA key no longer meets the standards
suggested by current best practice, so I've generated a new 4096-bit
RSA key to replace it.

My old key was:

  pub   1024D/0x7DCED6595AE7D984 2000-10-07
        Key fingerprint = 1453 086E 9376 1A50 ECF6  AE05 7DCE D659 5AE7 D984
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>

My new key is:

  pub   4096R/0x6C226B37FDF38D55 2013-08-07 [expires: 2015-08-07]
        Key fingerprint = 4BD9 5F90 8A50 40E8 D26C  D681 6C22 6B37 FDF3 8D55
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>
  uid                  Tim Bishop <>

My old key will continue to be valid, but I would prefer all future
communication to be done using my new key. In addition, any other keys
being distributed on public key servers that use any of the above UIDs
should be considered invalid.

This document has been signed using both the old and the new keys so
that you can certify the transition. In addition, the new key has been
signed with the old one to confirm its validity. If you previously
signed my old key I'd appreciate it if you could sign the new one if
you're happy with the trust that signature gives.

If you'd like any further verification or have any questions about
this transition please contact me directly.


Version: GnuPG v1.4.14 (FreeBSD)


The statement above can also be downloaded here, or you can just copy and paste it in to your PGP client of choice. I use GnuPG.

The following output shows the statement being verified by both my old and new keys. You’ll likely see something slightly different than me because you won’t trust my new key yet. If you trust my old key it should validate correctly and confirm that the statement is genuine and that I have a new key.

% gpg --keyserver --recv-key 0x6C226B37FDF38D55
gpg: requesting key FDF38D55 from hkp server
gpg: key FDF38D55: public key "Tim Bishop <>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
% wget -qO - | gpg --verify
gpg: Signature made Sat Aug 10 01:28:29 2013 BST using DSA key ID 5AE7D984
gpg: Good signature from "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"
gpg: Signature made Sat Aug 10 01:28:29 2013 BST using RSA key ID FDF38D55
gpg: Good signature from "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"
gpg:                 aka "Tim Bishop <>"

If you’ve signed my old key, and you’re happy that this process genuinely confirms that this is my new key, I’d be pleased if you could sign it too. If you have any questions or want any further confirmation of its validity, please contact me directly.

(Visited 86 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *