Rietta
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

New OpenPGP Key, 0xC004BAE3 (2014)

Comments

After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit DSA to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprints and update your OpenPGP keychain accordingly.

The following is my digitally signed transition statement, notice that it is signed with both my new and old key pairs. My old key is un-compromised and will remain valid for a period of time.

Download my new OpenPGP key

You can download my new GnuPG key from http://rietta.com/pgp-pub/frank_rietta_pgp.asc. Or, if you prefer to download it directly from the Massachusetts Institute of Technology public key server, by running gpg --keyserver pgp.mit.edu --recv-key 0xC004BAE3. The full finger print for the new key is EF65 AC38 A698 E87D 9CEF B60F 658C D5E9 C004 BAE3.

Key transition signing statement

You can also download the statement as a clear-signed plaintext document.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512,SHA1

Date: Sunday, July 27, 2014

For a number of reasons, I have recently set up a new OpenPGP key, and will be transitioning away from my old one that has been in use since 2003, when I was an undergraduate Computer Science student at the Georgia Institute of Technology.

You can read more about the technical reasoning and suggested key management practices at:

  - http://www.debian-administration.org/users/dkg/weblog/48
  - https://wiki.ubuntu.com/SecurityTeam/GPGMigration
  - https://help.riseup.net/en/security/message-security/openpgp/best-practices

My old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

The old key was:

  pub   1024D/1F9016AF 2003-05-06 [expires: 2015-08-03]
        Key fingerprint = DCF6 4AEB 7545 3CEB 923E  6E1A BBD2 F8E2 1F90 16AF
  uid                  Frank Rietta <[email protected]>
  uid                  Frank Rietta <[email protected]>
  uid                  [jpeg image of size 2826]
  uid                  Frank Rietta <[email protected]>
  sub   2048R/0CD8B255 2013-01-31 [expires: 2015-08-03]

And the new key is:

  pub   4096R/C004BAE3 2014-07-25 [expires: 2020-08-04]
        Key fingerprint = EF65 AC38 A698 E87D 9CEF  B60F 658C D5E9 C004 BAE3
  uid                  Frank S. Rietta <[email protected]>
  uid                  Frank S. Rietta <[email protected]>
  uid                  Frank S. Rietta <[email protected]>
  sub   4096R/3FB74663 2014-07-25 [expires: 2020-08-04]

The full key is posted at my website (rietta.com) at:

  http://rietta.com/pgp-pub/frank_rietta_pgp.asc

To fetch the full key from a public key server, you can simply do:

  gpg --keyserver pgp.mit.edu --recv-key 0xC004BAE3

If you already know my old key, you can now verify that the new key is signed by the old one:

  gpg --check-sigs 0xC004BAE3

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint 0xC004BAE3

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command.  Please note though, that if you had previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use --lsign-key, and not send the signatures to the key server!

  gpg --sign-key 0xC004BAE3

I'd like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

  gpg --export 0xC004BAE3 | gpg --encrypt -r 0xC004BAE3 --armor | mail -s 'OpenPGP Signatures' [email protected]

Or you can just upload the signatures to a public keyserver directly:

  gpg --keyserver pgp.mit.edu --send-key 0xC004BAE3

Please let me know if you have any questions, or problems.

Sincerely yours,

Frank S. Rietta
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJT1Xh0AAoJEGWM1enABLrj5dcP/3B4yDUJrnzL0iM6BsuDsXff
vFjFGyMX+pDw84HFMrhWuADzjsyvMfY0ARJtZs0WXPiIcMo/AAyzBXz1mT7SE+pD
XuWDlsJvDnnFFIB/kYOpJTW02A49cI1YURCJ+h4ffXIzvhkstWNDEYd29NTsZeWF
VzwiVqsXRD7X8PyWhFd9j3XjW3fiWh4zPhy1t0UU6HvjKYgXMZVJHQIY0TyueArk
RIbZti2CGRenGcYAGSRt/1zO3Q7KZ/CGYirNg8b4Si8nBnZLTb6tqYqQxm8crUr4
vNgjrs27RiTdd2W1as7WHQHeQkPTQ5GIjcJXrv4eM+tkKepStMlwqKKgwbQND5fX
/4O2zAGhuE0tV705Bi5amzFko12r0jcbR9933Cw/ntys+kqlwLR9KVtduWRCSX0Z
/YmOfnJchFMyDyPjGHRARaDEQu/h2z5AROTFn20nUARbTjyst5Le/L72bHMJL8ME
+ecmD60ETulTpVHEIu2FnIbH8VH77TLEwAOKAeH0sFZe3YCM5WFhP88XtQlHOt8q
0UICTBJzO6qa6UGXWRPsmN8eCI/iiXWqQFME1GaDJZQaMjZspw0sLp6uxgKxIVjp
P+PO4lX5McK+lBg3ppYoj9UfklA++CYmKtT2eyetfTHygKQt6WMmybbtaf1tSLdK
/Sp0ohU2CetAU2yF6SfOiEYEARECAAYFAlPVeHQACgkQu9L44h+QFq/ZJACfbmjT
CSadyF6g6QADtBN89Z3l578AoMMsRT+wHn82Mj4aMjbA8NRqwP5z
=+ycV
-----END PGP SIGNATURE-----

Further reading

You can read more about the technical reasoning and suggested key management practices at:

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments