Michael Altfield's gravatar

GPG Key Transition Statement

After 8 years, I've decided to transition from my original GPG key and replace it with one that uses a stronger master key that meets NIST guidelines.

Over 8 years ago--probably while lounging in my tiny dorm room in engineering school--I decided that I wanted the ability to communicate with my friends & family privately. I decided that I wanted the ability to encrypt my emails. I decided to generate a gpg key.

In 2009--4 years before Edward Snowden unveiled that the US government was violating their own constitution by collecting & storing the internet activity of hundreds of millions of innocent US citizens--I generated & published my first gpg keypair. Since those teenage years, I graduated college with degrees in Computer Science and Secure Computing & Networking, worked for major tech firms, and begun working for the best independent journalism outlet in the US--Democracy Now!

Though my colleagues, friends, & family infrequently used my gpg key in the past (don't tell the NSA!), I finally work with a great team of people that take security seriously, and I'm using gpg to sign & encrypt my daily work emails.

Unfortunately, my original master key was generated using gpg's defaults at the time--which used the Digital Signature Algorithm (DSA) with a 1024-bit key. This became "Disallowed" by NIST in November 2011.

So today I release my new RSA 4096-bit gpg key to the world & publish the following "GPG Key Transition Statement" -- which is cryptographically signed with both my old key & my new key.

Hash: SHA512,SHA1

Date: 2017-10-01

I have recently set up a new OpenPGP key & will be transitioning away from my 
old one.

The old key will continue to be valid for some time, but I prefer all future 
correspondence to come to the new one. I would also like this new key to be 
re-integrated into the web of trust.  This message is signed by both keys to 
certify the transition.

The old key was:

pub   dsa1024/0x1EF168D268C40535 2009-01-21 [SC] [expires: 2017-10-10]
      Key fingerprint = B162 9E1F 1737 EC4F 74C9  E923 1EF1 68D2 68C4 0535

And the new key is:

pub   rsa4096/0xFE1B84494E640D41 2017-09-30 [SC] [expires: 2018-10-01]
      Key fingerprint = 0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41

To fetch the full key from a public key server, you can simply do:

  gpg --keyserver pool.sks-keyservers.net --recv-key '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you are satisfied that you've got the right key, and the UIDs match what you 
expect, I'd appreciate it if you would sign my key. You can do that by issuing 
the following command:

  gpg --sign-key '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

Note: My key should have at least two UIDs:

  [1] An ephemeral email address. This is where I actually send & receive mail, 
but it changes on occasion (ie: due to spam, service shutdown, distrust in 
provider, etc).

  [2] My permanent email address is michael@michaelaltfield.net. Even if this 
account is ignored (ie: due to spam), this is the email address associated with 
my permanent UID tied to my gpg key. Therefore, if you only want to sign one 
UID, please sign this one.

I'd like to receive your signatures on my key. After signing my key, please 
send me an email with my public key attached. You can export my public key that 
was signed by you by issuing the following command:

  gpg -a --export '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41' > pubkey.asc

Additionally, I highly recommend that you implement a mechanism to keep your 
key material up-to-date so that you obtain the latest revocations, and other 
updates in a timely manner.

I also highly recommend checking out:

 * https://riseup.net/openpgp/best-practices

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.

Michael Altfield
PGP Fingerprint: 0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41

Note: If you cannot reach me via email, please check to see if I have changed 
my email address by visiting my website at https://email.michaelaltfield.net
Version: GnuPG v2


My current PGP Public Key can be downloaded here:

It is also available from most keyservers:

Related Resources

  1. https://riseup.net/en/security/message-security/openpgp/key-transition
  2. https://riseup.net/en/gpg-best-practices
  3. http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/

Related Posts

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>