Facebook Social Icon Twitter Social Icon YouTube Social Icon

OpenPGP Key Transition

From M.Eng. René Schwarz, Bremen/Merseburg
Jump to: navigation, search

In the light of the recent occurences in the domain of computer security, I will hereby replace my old OpenPGP key by a new and stronger key. The old key is invalid with immediate effect and I recommend to use my new one for all future correspondence. Please see my key transition notice here for further details:

https://www.rene-schwarz.com/pgp/2013-08-11_transition_notice

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA512

PUBLIC ANNOUNCEMENT                                        M.Eng. *René Schwarz*
August 11, 2013                                          <mail@rene-schwarz.com>
                                                  <https://www.rene-schwarz.com>


                         OPENPGP KEY TRANSITION NOTICE
                                  ~~~~~O~~~~~


In the light of the recent occurences in the domain of computer security [1], I
will hereby replace my old OpenPGP key by a new and stronger key.

The old key is invalid with immediate effect and I recommend to use my new one
for all future correspondence. I would also like this new key to be signed by
other persons in order to establish a web of trust. This message has been signed
by both my old key and my new key to certify the transition.

My old key was

    pub   1024D/DA8DE871 2009-02-07
          Key fingerprint = 3124 8A0C 92C6 9129 75DB  F4C6 91C4 AC7F DA8D E871

and my new key is:

    pub   8192R/687A7D75 2013-07-28
          Key fingerprint = DC8B FE25 50F7 6FBB 05BB  5917 4B71 ED33 687A 7D75

To fetch the full key from a public key server, you can simply do

    gpg --keyserver pool.sks-keyservers.net --recv-key 687A7D75

or download it from my website:

    <https://www.rene-schwarz.com/pgp/public-key-687A7D75.asc>

If you already know my old key, you can now verify that the new key is signed by
the old one:

    gpg --check-sigs 687A7D75

If you don't already know my old key or you just want to be double extra
paranoid, you can check the fingerprint against the one above:

    gpg --fingerprint 687A7D75

If you are satisfied that you have got the right key and the UIDs match what you
expect, I would appreciate it if you would sign my key and send it back to the
keyserver. You can do that by issuing the following commands:

    gpg --sign-key 687A7D75
    gpg --keyserver pool.sks-keyservers.net --send-key 687A7D75

It would also be nice of you to inform me about this certification via e-mail to
<mail@rene-schwarz.com>; if you have an working MTA installed on your system you
can do this simply by:

    gpg --armor --export 687A7D75 | mail -s 'OpenPGP Certification 687A7D75' \
    mail@rene-schwarz.com

Additionally, I highly recommend that you implement a mechanism to keep your
keyrings up-to-date so that you obtain the latest revocations and other updates
in a timely manner. You can do regular key updates by using `parcimonie' [2] to
refresh your keyring. It is a daemon that slowly refreshes your keyring from a
keyserver over Tor. It uses a randomized sleep and fresh Tor circuits for each
key. The purpose is to make it hard for an attacker to correlate the key
updates with your keyring.

Please let me know if you have any questions or problems regarding this message
or the transition.


                                    M.Eng. *René Schwarz*
                                    <mail@rene-schwarz.com>
                                    <http://www.rene-schwarz.com>


ACKNOWLEDGEMENTS
    Most of the text above was directly copied out of a template from the Riseup
    GPG Best Practices website which can be found here:
    <https://we.riseup.net/riseuplabs+paow/openpgp-best-practices>

REFERENCES
    [1] Refer to these websites, among others:
        * <https://www.debian-administration.org/users/dkg/weblog/48>
        * <http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf>
        * <https://en.wikipedia.org/wiki/Edward_Snowden>
    [2] <https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iEYEARECAAYFAlIHwg0ACgkQkcSsf9qN6HHexgCdGmL5nHX3BDvj6RROIYFAOUXI
emwAoILKCjLtvtYW6e6OpNmDnRqRCKV2iQIcBAEBCgAGBQJSB8INAAoJEM1FFckc
vpGw6IsP/iCAtL/t6F8lLSIWen+D8BI300R18fwKl1CBpudIZn8ipiycP/kGNPbT
TsiPocOz3TBEiJk9EbW5MlnNtLkjSEpz7NI7bgtpWFcEJHrE40wpm0HHbb1fpZhX
kikiF03vHLF2Zqf3g8OtaIVB83Pb7w1QmcqUVpxEwZrkFttT50zC2KaTygM/f6Vy
YG5C2ut7zo6ZMr7VmkIuAvEqIQHJO3OBoUpEH4nApFKUyAMAk32sBL3itDyYjX/w
8F7EFX1SMFt01Own7gBZwm3lCIhX1bt7/TaDlfcv4takQnskjht2DOzFpRZ/Ey9S
8qECjea2g0zW0u6Tgg6sdAXHkxBZ1qrowgTxBjGLB9439oXW3MRHQB1ZhLOSEyJK
EZKo7xGQyPJD18UTtIeVo7Gr3PRKK97deMiNE0Wwm7sZ3K18TA0B22yeHw8pkiKt
2rgAwm9skNOTPS46weWncDn65lPuJRNsTljTwC0KozkZcvPm4o88afAdnNhC5Gl1
YW5z6FeaWwPBYD3EG4AYV4xV2cDdNXiEK2zC2KNGrXN08hucGMD0GexCXPqrLgTI
d2Jiqp0+fIVxbTkaJL2d6sd19F43SOX7iHcSgMIyk5Ch6nwy0pw8Wl8dP41Wtzvp
rVSGLezSmLS9/13eWc9VT+RelLh9wkoMNxjXVW5C7BLhmlNQeFwR
=jb9Z
-----END PGP SIGNATURE-----