Can I convert a V3 key and is it even worth doing?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Nov 28 22:38:51 CET 2014


On 11/28/2014 03:33 PM, Steven M. Sawczyn wrote:
> Hello everyone, I have a rather strange problem on which I could use some
> advice.  I am starting to use GnuPG again after a number of years and to
> that end, have resurrected my original key generated with PGP back in 1998.
> For the most part this key works well although since it's an older V3 key,
> certain software packages have trouble importing the secret portion of it.
> To be fair it's not like hundreds of people have my key, however, this key
> is available on public servers and I like the fact that it's really the only
> key associated with me.  My questions are:
> 
> 1.       Is there any way to convert my V3 key to something newer?  My guess
> is no, but ideally I'm wrong about this.

I'm sure it's possible to do.  I don't think it's a good idea.  For one
thing, if you converted it, the OpenPGPv4 fingerprint would be a
different fingerprint than the v3 key, so it would appear as a different
key to most people anyway.  You might as well create a new key.

> 2.       Other than my experiencing problems with applications that don't
> support the V3 key, is there any other really compelling reason to abandon
> it in favor of a brand new one?

Yes.  the OpenPGPv3 key fingerprint mechanism is trivial to spoof.
OpenPGPv3 also implies the use of MD5 as a digest algorithm for signatures.

> 3.       If generating a new key is the best way to go, is there any way to
> get rid of the older key off servers?  I could generate a revocation
> certificate, however my understanding is that won't really get rid of
> anything and my concern is that having two keys with the same Email address
> could lead to confusion.

lots of us have historical keys on the keyservers.  It's not a problem
worth worrying about.

Looking on the public keyservers, there appear to already be 3 different
keys with your e-mail address, so adding one more (that was made this
millenium) doesn't seem like it's particularly worrisome..

And if it makes you feel any better(?) anyone can upload another key
with your user ID attached to it.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141128/7638d49c/attachment.sig>


More information about the Gnupg-users mailing list