Key Transition Letter 2009-05-21
mail at 404not-found.de
Thu May 21 15:15:18 CEST 2009
On Thursday 21 May 2009 11:35:44 Allen Schultz wrote:
> For the reason of SHA1 issues in the news, I've recently set up
> a new OpenPGP key, and
> will be transitioning away from my old one.
> This message is signed by
> both keys to certify the
I have not recieved signatures with your mail, but Charly's reply implicates
that there is a signature, though it does not validate. I have switched to a
new mail system, I hope it does not strip away signatures :-/
> If you already know my old key, you can now verify that the new
> key is
> signed by the old one:
> gpg --check-sigs DAD4736B
I believe (an I think others do too) it is good praxis to not sign new keys
even if you have signed the old one and the new key is signed by the old one,
without personally checking with the keyholder first. After all, the new key
could have been compromised.
> If you don't already know my old key, or you just want to be
> extra paranoid, you can check the fingerprint against the one
> gpg --fingerprint DAD4736B
If someone does _not_ know the old key, checking the fingerprint against an
untrusted source like an eMail is certainly not enough. It is crucial for the
web of trust that key/UID combinations are only signed after the fingerpint has
been confirmed by the keyholder in person, and the UID has been checked against
an official identification.
I think the best way to have your new key integrated in the web of trust is to
visit a keysigning party, or to look up key signers in your area at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users