In light recent new attacks against SHA-1 [1,2], and the NIST guidance on 1024 bit keys and SHA-1 hashes [3,4], I have decided to move to a new OpenPGP key of a larger size. As such, I will be slowly transitioning away from my old key.
My old key will continue to be valid for some time to come, but I’d prefer all new correspondence to use the new one. I’ll also be switching my outgoing signatures (email and code) onto the new key. For this to work well, I’d like my new key to be re-integrated into the web of trust. So, I’ve signed this message with both the old and the new keys, to certify the transaction.
the old key was:
pub 1024D/365CC7A2 2004-06-28 Kanru Chen (koster) Primary key fingerprint: 3278 DFB4 BB28 6E8C 9E1F 1ECB B1B7 5B5F 365C C7A2 And the new key is:
pub 4096R/CEC6AD46 2009-10-19 Kan-Ru Chen (陳侃如) Primary key fingerprint: 374F F2AD 0A12 935F D0B0 C84F 1B13 2E01 CEC6 AD46 To fetch my new key from a public key server, you can simply do:
gpg --keyserver pgp.mit.edu --recv-key CEC6AD46 If you already know my old key, you can now verify that the new key is signed by the old one:
gpg --check-sigs CEC6AD46 If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:
gpg --fingerprint CEC6AD46 If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:
gpg --sign-key CEC6AD46 Lastly, if you could upload these signatures, I would appreciate it. Please could you just upload the signatures to a public keyserver directly:
若您簽署之後可以把簽名上傳到公開金鑰伺服器就太好了.
gpg --keyserver pgp.mit.edu --send-key CEC6AD46 Please let me know if there is any trouble, and sorry for the inconvenience.
Thanks, Kanru
Sign 過的版本, 用 gpg –verify 驗證
- http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
- http://www.debian-administration.org/users/dkg/weblog/48
- http://csrc.nist.gov/groups/ST/hash/statement.html
- http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf