Migrating keys

Atom 'Smasher' atom-gpg at suspicious.org
Mon Nov 24 15:48:43 CET 2003

1) the second signature on your new key (the self-sig is the first)
should be from your old key.

you can also revoke your old key with a note that it's been superseded
by your new key; specify the new key ID, type, fingerprint, etc.

2) depending on why your creating a new key, it might be an option to
expire the sub-key and add a new one... that way you keep your signatures.

3) i would not accept a signed message (in itself) as a reason to sign &
trust a new key... i'd still verify the new key either through verbal
(phone) or physical (in-person) verification with the key's owner.

4) note: #1 and #3 contradict #2. in the case of #2 i'd accept the new
encryption key solely because it's signed by a trusted signing key; in the
case of #1 and #3 i wouldn't. i'm not sure why my brain wants to draw that
distinction, but it does... logically all of the above examples are
signing a new key with an old (trusted) key.


PGP key - http://smasher.suspicious.org/pgp.txt
3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3

	"The capitalists owned everything in the world, and everyone
	 else was their slave. They owned all the land, all the
	 houses, all the factories, and all the money. If anyone
	 disobeyed them they could throw him into prison, or they
	 could take his job away and starve him to death. When any
	 ordinary person spoke to a capitalist he had to cringe and
	 bow to him, and take off his cap and address him as 'Sir'"
		-- George Orwell

More information about the Gnupg-users mailing list