Heap Overrun

The personal web site for Joel Goguen. Society, technology and politics from the perspective of a geek.

Joel Goguen 23 May 2011 05:46

New GPG Key

After a reminder from @pleia2 I've finally gone and updated my GPG key to a shiny new 4096-bit RSA key.

New Key

pub   4096R/8032CCE4 2011-05-18

      Key fingerprint = FB29 8ABB E1D0 0A1C 8FA4  DC1F A8B5 1F5E 8032 CCE4

uid                  Joel Goguen <jgoguen@jgoguen.ca>

uid                  Joel Goguen <joel@jgoguen.ca>

uid                  Joel Goguen <jtgoguen@gmail.com>

sub   4096R/F0B95B5C 2011-05-18

Old Key

pub   1024D/10AD161E 2009-11-30

      Key fingerprint = 8B95 B28E 2F04 116E F3D7  BCF3 5ED5 68FF 10AD 161E

uid                  Joel Goguen (Personal Key) <jgoguen@jgoguen.ca>

uid                  Joel Goguen (GMail Key) <jtgoguen@gmail.com>

sub   4096g/8F71CB0C 2009-11-30

Transition Statement

Here is my transition statement, shamlessly copied and modified to suit my needs, signed with both my old and new GPG keys:

Because of the attack against the SHA-1 digest algorithm I have now created a new 4096-bit RSA key to replace my 1024-bit DSA key.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust.

The old key was:

  pub   1024D/10AD161E 2009-11-30

    Key fingerprint = 8B95 B28E 2F04 116E F3D7  BCF3 5ED5 68FF 10AD 161E

  uid                  Joel Goguen (Personal Key) <jgoguen@jgoguen.ca>

  uid                  Joel Goguen (GMail Key) <jtgoguen@gmail.com>

  sub   4096g/8F71CB0C 2009-11-30

And the new key is:

  pub   4096R/8032CCE4 2011-05-18

    Key fingerprint = FB29 8ABB E1D0 0A1C 8FA4  DC1F A8B5 1F5E 8032 CCE4

  uid                  Joel Goguen <jgoguen@jgoguen.ca>

  uid                  Joel Goguen <joel@jgoguen.ca>

  uid                  Joel Goguen <jtgoguen@gmail.com>

  sub   4096R/F0B95B5C 2011-05-18

To fetch my new key from a public key server, you can simply do:

  gpg --keyserver pgp.mit.edu --recv-key 8032CCE4

If you already know my old key, you can now verify that the new key is signed by the old one:

  gpg --check-sigs 8032CCE4

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint 8032CCE4

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key:

  gpg --sign-key 8032CCE4

Lastly, if you could upload these signatures, I would appreciate it. You can either send me an e-mail with the new signatures or you can just upload the signatures to a public keyserver directly:

  gpg --keyserver pgp.mit.edu --send-key 8032CCE4

If you'd rather wait to sign it until we meet again in person, I hope to see you soon! :)

You can download the signed transition statement to properly verify my keys. The unsigned text can be downloaded here as well.

Are you still using a 1024-bit key, or not yet using a GPG key? These links can help you trnasition to using a 4096-bit key. The directions are also good for generating your very first key; just leave out all the parts referencing your old key!

  • Delicious
  • Google