-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512,SHA1 GnuPG key transition statement ============================== I am transitioning my GPG key from an old 1024-bit DSA key to a new 4096-bit RSA key. The old key will continue to be valid for some time, but I prefer all correspondence to use the new key from now on. Motivation ~~~~~~~~~~ tl;dr: Debian wants new keys and I always wanted an air gap between key and networked computer. I now have both but spent too much time for this. As you probably have guessed, the reason to finally move to a new key is this announcement: https://lists.debian.org/debian-devel-announce/2014/08/msg00015.html I also fear that the key might be broken but I do not believe some big agency spends massive amounts of computational power to break into Debian. They probably could use much easier means to get in. Of greater concern to me is the possibility that the private key could get extracted from my computer by either a break-in via the network connection or somebody who got physical access. We all think our systems are safe, don't we? So was Sony, I guess. So this prompted me to finally get my private key off my computer. If anybody cares, the key now sits on a FSFE Fellowship Smart Card. It wasn't as easy as I expected to set this up so I spent all my at-home computer time for weeks. Real life stopped me before sending this transition statement. Anyway, I feel better now given that my old key used to sit on a floppy disk until that was unusable and ended up being stored in my $HOME, albeit encrypted. If anybody tries a similar setup and runs into problems, I would be glad to help. It also would make the time spent look less like a waste. Signing request ~~~~~~~~~~~~~~~ To certify the key transition, this transition statement is signed with both the old and the new key. I would appreciate it if you could sign my new key so that it is well integrated into the web of trust, provided that your personal signing policy permits it. I'm fully aware that you may not sign based on transition documents and I certainly respect your decision and won't pester you again. The old key was: pub 1024D/0x750807B5551BE447 1999-03-23 Key fingerprint = 820F 6308 F2B0 8DA2 4D3E C20E 7508 07B5 551B E447 uid Torsten Landschoff sub 1024g/0xB1B79D0327BE2E11 1999-03-23 The new key is: pub 4096R/0x308355FA32C5067D 2014-10-16 [expires: 2016-10-15] Key fingerprint = 8A4D 01D9 83DF 73C5 1DCC 745B 3083 55FA 32C5 067D uid Torsten Landschoff uid Torsten Landschoff uid Torsten Landschoff uid Torsten Landschoff uid [jpeg image of size 15017] sub 4096R/0x1E5F95A7863B7C77 2014-10-16 [expires: 2016-10-15] sub 4096R/0xEF9AC6A0E3AC040E 2014-10-16 [expires: 2016-10-15] sub 4096R/0x8E02CF8DD72A8A42 2014-10-16 [expires: 2016-10-15] The new key is available from the gnupg keyservers. To retrieve the full key you can run gpg --keyserver keys.gnupg.net --recv-key 0x308355FA32C5067D If you have already validated my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs 0x308355FA32C5067D If you are satisfied that you have the right key, I would appreciate it if you would sign my new key and send the signature to me by email. You can perform the signing using gpg directly: gpg --sign-key 0x308355FA32C5067D If you have a functioning MTA on you system, you can send me the new signatures by email: gpg --armor --export 0x308355FA32C5067D \ | mail -s "NEW signature" torsten@debian.org Please contact me via e-mail at if you have any questions about this document or the key transition. A copy of this transition statement can be found at: https://people.debian.org/~torsten/2014/key-transition.txt 2014-12-20 Torsten Landschoff torsten@debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUlZpvAAoJEB5flaeGO3x31sEP/0LwQvSl2MhI3M0sBaTS28Em OPFvlXuVxYSM0baMB3YmfPjvOpbHdY6Otk/lD6JUonWFKqHv+50mXRkPCUfS3zlj BD+3Tlx4D4aG0zyEBU1ieEG5FStX/Skkt68OEamNT8LKeqFeup3zSDCivIkAWMbH qLSoBc3GOZfSB/griZg2afFNIJrg6E/rdNJ4vSiCrLA+Q88YvgtZNJC8YMpU1d73 IcsWQQydtqWFwi5GCboEsRo5r2BaKPnj62B4cD1ovoY3F603fBkCNThuXL3sLrOO EeAPNOwbe2yov+iyQRA1XKFIQPk708fPxplcOQQYbu3teU3paP4n8IiYeQ6OoOGo 4rhquHn8+ISLFVDivg/BH/NZy6HRDQmSe2sj8NvBw4kms3qh9SOrAmKuOHFvVxIT 1vbIeCBf/DjS8EYZWwPZu77w0gDaeHAjhzgj65ed574R2Pt2ENyES0U19oaILPrB 3GcxJ/4yaRDsSk1a9bvvE5Sed3b2/2PhuOFOMsYz0fB1cUYGTyH2pxlj52Je7L22 oLEb1LHfn78Azzp1lgo2A/dWwtdBQxw+FERKMwW43z5mmWX3T0QwLB2dTIGT6wXh QNwgEJUruHfKW2I7GuIQG6nmoxr/ZyKIzno/XNBeiz5ZEw8vtYgB+2hFB9Vs8DZa kHMvkA+mkoGqkJVekzWQiEYEARECAAYFAlSVmnsACgkQdQgHtVUb5Ec38gCfSx6D 08yYp5MJ6j4Q0XTTRhF1F6cAnRnSY2CgxcQyEctSohUYmIrHGlQi =K6lG -----END PGP SIGNATURE-----