GPG Key Transition

My current PGP/GnuPG key is expiring, so I've rolled a new one. The ID of the new key
is 0x3C7775DD37811E62
(full fingerprint:
1ED5 E5A3 01C3 D109 9040 2289 3C77 75DD 3781 1E62
)
and it should be in your favorite keyservers,
cross-signed by my old key. You can also find it at https://files.roguelazer.com/roguelazer.gpg.
It has also been attached to my keybase.io account and my Github
profile. My previous key (0xAEE8F2454A41B87D
) has not been revoked
and has not been compromised, but you should still stop using it if possible. The new key is a 4096-bit RSA
key with SHA-2 digest signatures — I'm not quite bold enough to switch to ECC for a long-lived key yet.
My signed transition document is below, and can also be found at
2019-04-27-key-transition-statement.txt.asc if
you prefer to download it directly.
Additionally, I have generated a separately-signed key with ID 0x233E5EAF0EC3ABA9
(full fingerprint:
14E8 9660 188D BC9B 2C17 67AA 233E 5EAF 0EC3 ABA9
). This key should not be used for communication,
but will only be used to sign VCS commits/tags/&c (in Git and perhaps in
Pijul). It's going to be on my [managed] work computer, so treat it with a grain
of salt.
read more
GPG (2013 Update)
In light of all of the hullabaloo about PRISM and other spying
technology, I thought it'd be good to remind all of your dear readers
that we've had the technology to ensure private communications on the
Internet for 22 years in the form of Pretty Good Privacy (and
the much-more-commonly-used implementation, GnuPG). Ars Technica had
an okay article about e-mail encryption with PGP which I recommend
reading, although you should keep in mind that most security
professionals would consider infrastructural PKI like SSL and S/MIME to
be compromised by nation-state-level adversaries (and all associated
MIC contractors).
Anyhow, my GPG …
read more
New GPG Key
As you may have seen around the Internet, there was a
fairly significant break in the SHA-1 hash function, which is used
by default in GnuPG. This is worrisome, since GPG/PGP signatures are
one of the only things I'd actually trust to verify somebody's identity
online. So I've generated a new key with a 2048-bit RSA primary (for
SHA256 and SHA512 support) and a 4096-bit ElGamal encrypting key (which
took about 15 minutes to generate, so better be worth it). The key ID is
CB8AA0FF
, and the fingerprint is
5C35 D713 3E10 9A19 FFFC F58A 68E8 3B57 CB8A A0FF …
read more