With my current OpenPGP key set to expire in the middle of December I’ve decided to extend its life by changing the expiry date for the primary signing key 0xFEEEFA8F and adding a new encryption subkey that can be used when the existing one expires. The new expiry date for the main signing key as well as the new encryption subkey is 2 years from today. Before getting into the actual notice allow me to capture exactly what I did:
Below you will find my OpenPGP Key Transition notice signaling my intention to migrate from my current key (0x1CD3E3D8) to my new one (0xFEEEFA8F). Note that it is very likely that the software used on this website will render the notice in such a way as to invalidate the signature below. Instead please see the plain text version here to do proper validation against or check out my About Me page for full details.
I have been meaning to write up a short post about this for a while, but thanks to the start of a new school term I have been a bit busy. If you have seen the security news in the last month or so you will know that RSA-768, a 768bit or 232 decimal digit asymmetric key, has been broken (factored). This has important security repercussions for all of us because it is these public key algorithms like RSA, or ElGamal, that guard our online transactions, and e-mail conversations.
Well GPG to be more accurate 😉 As my existing key was set to expire at the end of this year I have issued myself a brand new one! After much though I finally decided that creating a new key from scratch was the best idea, rather than simply adding a new subkey, because I wanted to move away from DSA/ElGamal toward RSA primarily because of the weakening of SHA1. If this all sounds like gibberish to you then don’t worry, the details aren’t nearly as important as the security provided by my new key.
Well its almost time for me to create a new PGP key. My current key for tyler at tylerburton dot ca is set to expire at the end of the year and I am trying to determine what the best way to migrate to a new key is. Some people suggest simply adding a new encryption sub key and then changing the original signing key’s expiry date so that individuals wishing to verify your signatures can continue to do so uninterrupted.
In cryptography a key length refers to the digital size of the ‘key’ used to unlock the encryption algorithm. Over time the length of these keys has increased from DES’ modest 64 bit (really 56 bit) key size all the way to the new AES specified key lengths of 128 and 256 bit keys. Each bit increase in in the algorithm doubles the potential number of keys available to use, thus usually making it harder for an adversary to guess the right key.