-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Dear friend/colleague/key signer,

I am transitioning Open GPG keys from an old 1024-bit DSA key to a new 4096-bit
RSA key. The old key will continue to be valid for quite some time, but I
prefer all new correspondence to be encrypted in the new key, and will be
making all signatures going forward with the new key.

The new key will also be the one I will use to integrate in the Web of Trust,
and it is also the only one I will use for free software development.

This transition document is signed with both keys to validate the transition.

I would be to reciprocate if you have a similarly signed transition statement
to present. Just let me know!

Reasons for this change
- -----------------------

This change is primarily to increase the key size. The key size increase should
prevent future attacks (see [1]) and keep it in line with current Debian key-ring
requirements (see [2] and [3])


What does this mean for you?
- ----------------------------

First of all, I would like you to:

  - retrieve my new key

  - use the new key for future communications with me

  - if you have signed key in the past, I would appreciate if you could sign
    this key too. That is, provided that your signing policy permits that
    without re-authenticating me in person.	

The next parts of this document provide the steps to do the above. Feel free
to use them as a guidance for this process.

Information about my OpenGP keys
- -----------------------------

The new key, to which I'm transitioning, is:

pub   4096R/3219C4E7 2014-04-11
      Huella de clave = B555 A43F ADF8 D3C6 52C5  4383 7FF0 C742 3219 C4E7
uid                  Francisco Manuel Garcia Claramonte <francisco@debian.org>
uid                  Francisco Manuel Garcia Claramonte <fgclaramonte@gmail.com>
uid                  Francisco Manuel Garcia Claramonte <francisco@garciac.es>
sub   4096R/1B25DCEF 2014-04-11


The old key, which I am transitional away from, is:

pub   1024D/556ABA51 2003-10-11
      Huella de clave = CF68 2F04 6496 EFEA 663C  2441 9A95 3C82 556A BA51
uid                  Francisco Manuel Garcia Claramonte <francisco@debian.org>
uid                  Francisco Garcia <franciscomanuel.garcia@hispalinux.es>
uid                  Francisco Garcia Claramonte <fgclaramonte@yahoo.es>
sub   1024g/DC9E88E7 2003-10-11



To fetch the full key from a public key server, you can simply do:

  gpg --keyserver keys.gnupg.net --recv-key 3219C4E7


If you have already validated my old key, you can now verify that the new key
is signed by the old one:

  gpg --check-sigs 3219C4E7

You can also check the fingerprint against the one above:

  gpg --fingerprint 3219C4E7


Signing my new key
- -----------------

If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key and send me
the signatures on my key.

If you are using Debian, a simple and safe way to do it is by using 'caff'  [1]
which is available in the keysigning package 'signing-party' [2]. Just install,
it, configure it as described in the Debian Wiki and run

  $ caff 3219C4E7

You can also do it "by hand", using GPG directly. Just issue the following
command:

  $ gpg --sign-key 3219C4E7

To send me an e-mail with the new signatures you can do the following (if you
have a functional MTA on your system):

  $ gpg --export 3219C4E7 | gpg --encrypt -r 3219C4E7 --armor | mail -s 'OpenPGP Signatures for new key' francisco@debian.org


Prioritising the new key (optional)
- -------------------------------

To avoid signing/encrypting with the old key who share the same email addresses
than the new one, you can make some changes in your keyring. If you
have imported already my new string, by removing the old one from the keyring
and adding it again you ensure that the new one is first and will
be the first selection whenever the appropriate email address is requested.

You can do it by issuing the following commands:

  $ gpg --export 556ABA51  > ~/tmp/public-556ABA51
  $ gpg --delete-key 556ABA51
  $ gpg --import ~/tmp/public-556ABA51

I suggest you keep my old key, since that will be the only way to verify e-mails
and documents I've signed in the last 11 years (more specifically in the period
2003-2014). However, if you don't want to keep the old one, once you have
signed my new key, you can remove the previous key by issuing the following
command:

  $ gpg --delete-key 556ABA51

By doing this, you might avoid confusing prompts when sending emails or
encrypting content with one of my user IDs, since they are associated to
two different keys.


Keeping your keys up-to-date
- ----------------------------

As suggested by others, it might be convenient for you to implement a
mechanism to keep your key material up-to-date so that you obtain the latest
revocations, and other updates in a timely manner. On a system with cron, you
can add something similar to the following to your personal crontab:

- ----------------------- cut here ----------------------------------
0 12 * * * /usr/bin/gpg --refresh-keys 
- ----------------------- cut here ----------------------------------

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.

Feel free to contact me via e-mail at <francisco@debian.org> if you have any
questions about this document or this transition.


	Francisco Manuel Garcia Claramonte
	<francisco@debian.org> / <francisco@garciac.es>
	2014-09-02

PS: For easier access, this document is also available in text format at
https://people.debian.org. You can validate it also by doing:

 $ gpg --keyserver keys.gnupg.net --recv-key 3219C4E7
 [....]
 $ curl https://people.debian.org/~francisco/key-transition-2014.txt | gpg --verify

......................................................................

References:

[0]  "HOWTO prep for migration off of SHA-1 in OpenPGP " written by dkg on 
	Wednesday 6th, May, 2009

	https://www.debian-administration.org/users/dkg/weblog/48

[1]  "Bits from keyring-maint", written by Gunnar Wolf, September 14th, 2010
	available at:

	https://lists.debian.org/debian-devel-announce/2010/09/msg00003.html

[2] "Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!",
	written by Gunnar Wolf, 6th March 2014, available at:

	https://lists.debian.org/debian-devel-announce/2014/03/msg00003.html

[3] https://wiki.debian.org/caff

[4] https://packages.debian.org/sid/signing-party
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUBazMAAoJEH/wx0IyGcTnHgoP/2jASqWcmrQPvw009ZM2H6qg
bTiokSL7A0F7JaoKO+hO+opCtDiPTaJg0yHCqI694CYTzIg6FJX2bZFQIDN925p+
WgZslvDpFp+abSB38mE7K5wYR0DgLvyCjXvGkIuH9+eyCtxJ5QEI16XfGaiwRDrh
srwTlNAueqon2USdQdtnBzWcHr1UNXt+sdiiuWiGt0ELUyOoe4T6sx9WX8/OU2zy
f09GWQnQFWArSGDbE77363BGaZdNfPubGGoaeyJ2x/BdsS8GomMP5BXZdjmkO8JF
MVqw6m19om5qGooZuQK11pPa8FuQjAwQZXLBpIpC9V+7lskmU8eINagGY0T7u9np
MeZtZro7BulOWXMHZDzOzyHkFeGI+6JH4seHeVj48G83FRkxfUaSc+kZrymv6ZUu
ewGLj29rKZndY9ZWeEGMUhrEommvRRyfko2+AH+EJ6geOqU8g1CsAmtoNmo8WHet
3LN+QB6riVJNY/psM2ugqsnktSPfJ7/xN4763r2fOp3nQ7kgS4Od1p0zkagmfeWE
nJ8g1wvZye7cAjzxgqnG4lId9faIuRFJZhKa0oqjLB8AVFRds1gEQOonM/RnspEf
RkSRIHUnrNQZSRPvon5ymi7D0+YZWyYAjIu16MskVJ+qbfhdhJyJWjmb9j08EOed
/FuHsNEhtaUbI6uJPBDw
=KaPs
-----END PGP SIGNATURE-----