A couple of weeks ago at the Rebellious Media Conference (which I have not yet had time to blog about) I was chatting to a couple of people about encryption and the web of trust. They gave me copies of their OpenPGP key fingerprints so that I could sign their keys when I got home but when I sat down to do it I noticed that they both had 4096 bit RSA keys with expiry dates whereas mine was a 1024 bit DSA key with no expiry date. I originally created my key way back in May 2000 but have never made much use of it and it has only been signed by two other keys. I have been meaning to make an effort to extend my web of trust but I thought I should first look into whether my key was sufficiently secure.
My question was answered by a May 2009 Debian Administration blog entry posted in response to the announcement of a fairly serious attack against the SHA-1 digest algorithm. The advice was to phase out use of 1024 bit DSA keys and the blog author presented a useful set of steps for transitioning to a new key. The question of setting an expiry date was not covered but I found a useful article about changing the expiry date which explained the reasons for setting one in the first place. In summary I decided to generate a new 4096 bit RSA key set to expire after 3 years (if I am still using the key in 2014 I can extend it before it expires).
Once I had created the new key I signed it with my old key and uploaded it to a key server. Then I wrote a brief transition statement, signed it with both keys and uploaded it to my website. If you are one of the two people who signed my old key then this should give you enough confidence to sign the new one knowing that it is controlled by the same person.