Key Transition Letter 2009-05-21

Raimar Sandner mail at
Thu May 21 15:15:18 CEST 2009


On Thursday 21 May 2009 11:35:44 Allen Schultz wrote:
> For the reason of SHA1 issues in the news, I've recently set up
> a new OpenPGP key, and
> will be transitioning away from my old one.

> This message is signed by
> both keys to certify the
> transition.

I have not recieved signatures with your mail, but Charly's reply implicates 
that there is a signature, though it does not validate. I have switched to a 
new mail system, I hope it does not strip away signatures :-/

> If you already know my old key, you can now verify that the new
> key is
> signed by the old one:
>  gpg --check-sigs DAD4736B

I believe (an I think others do too) it is good praxis to not sign new keys 
even if you have signed the old one and the new key is signed by the old one, 
without personally checking with the keyholder first. After all, the new key 
could have been compromised.

> If you don't already know my old key, or you just want to be
> double
> extra paranoid, you can check the fingerprint against the one
> above:
>  gpg --fingerprint DAD4736B

If someone does _not_ know the old key, checking the fingerprint against an 
untrusted source like an eMail is certainly not enough. It is crucial for the 
web of trust that key/UID combinations are only signed after the fingerpint has 
been confirmed by the keyholder in person, and the UID has been checked against 
an official identification.

I think the best way to have your new key integrated in the web of trust is to 
visit a keysigning party, or to look up key signers in your area at


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090521/92a112e4/attachment.pgp>

More information about the Gnupg-users mailing list