Key Change

A couple of weeks ago at the Rebellious Media Conference (which I have not yet had time to blog about) I was chatting to a couple of people about encryption and the web of trust. They gave me copies of their OpenPGP key fingerprints so that I could sign their keys when I got home but when I sat down to do it I noticed that they both had 4096 bit RSA keys with expiry dates whereas mine was a 1024 bit DSA key with no expiry date. I originally created my key way back in May 2000 but have never made much use of it and it has only been signed by two other keys. I have been meaning to make an effort to extend my web of trust but I thought I should first look into whether my key was sufficiently secure.

My question was answered by a May 2009 Debian Administration blog entry posted in response to the announcement of a fairly serious attack against the SHA-1 digest algorithm. The advice was to phase out use of 1024 bit DSA keys and the blog author presented a useful set of steps for transitioning to a new key. The question of setting an expiry date was not covered but I found a useful article about changing the expiry date which explained the reasons for setting one in the first place. In summary I decided to generate a new 4096 bit RSA key set to expire after 3 years (if I am still using the key in 2014 I can extend it before it expires).

Once I had created the new key I signed it with my old key and uploaded it to a key server. Then I wrote a brief transition statement, signed it with both keys and uploaded it to my website. If you are one of the two people who signed my old key then this should give you enough confidence to sign the new one knowing that it is controlled by the same person.


2 responses to “Key Change

  1. That will be me then. I haven’t used my key for ages. I had been thinking I should get a more secure one and this may prompt me to do so. Should I sign your key or wait until we meet up to really confirm it’s you?

    • If you are going to create a new key then you should wait until you have done that and sign mine with the new one. I can’t remember whether you checked the fingerprint when you signed my old key so we should probably follow the protocol. I will give you a printout of my new key fingerprint when I next see you and you could do the same. I will try to get along to the next LUG meeting so I might see you there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s