-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Date: 2015-03-10

For [a number of reasons][0], I've recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one.  I would also like this new key to be re-integrated into the web of trust.  [This message is signed][3] by both keys to certify the transition.

The old key was:
 
<pre class="lang:default decode:true " >pub   1024D/0x677A7DE8CC9A6F67 1999-02-26 [expires: 2017-03-09]
      Key fingerprint = 75E6 C558 4E34 9022 FEF1  3EA2 677A 7DE8 CC9A 6F67
</pre> 

And the new key is:

<pre class="lang:default decode:true " >pub   4096R/689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7 2015-03-10 [expires: 2017-03-09]
      Key fingerprint = 689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7
</pre> 

To fetch the full key from a public key server, you can simply do:

<pre class="lang:sh decode:true " >gpg --keyserver keys.riseup.net --recv-key '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7'
</pre> 

If you already know my old key, you can now verify that the new key is signed by the old one:

<pre class="lang:sh decode:true " >gpg --check-sigs '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7'</pre> 

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

<pre class="lang:sh decode:true " >gpg --fingerprint '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7'</pre>

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command:

<blockquote>NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use  <span class="lang:default decode:true  crayon-inline " >--lsign-key</span> , and not send the signatures to the keyserver.
</blockquote>

<pre class="lang:sh decode:true " >gpg --sign-key '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7'</pre> 

I'd like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

<pre class="lang:sh decode:true " >gpg --export '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7' | gpg --encrypt -r '689D 9753 FE50 6B09 2C1E  352A E6E9 E425 48C9 12E7' --armor | mail -s 'OpenPGP Signatures' darac@darac.org.uk</pre> 

Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using [parcimonie][1] to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.

I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-)

[https://we.riseup.net/debian/openpgp-best-practices][2]

Please let me know if you have any questions, or problems, and sorry for the inconvenience.

Paul Saunders (aka Darac Marjal)

[0]: https://www.debian-administration.org/users/dkg/weblog/48
[1]: https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
[2]: https://we.riseup.net/debian/openpgp-best-practices
[3]: https://www.darac.org.uk/static/GPG%20Key%20Transition%20Statement.txt

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU/zKGAAoJEKB7YbRsd8TG+eAP/1bCKoq6ao6lvi89CZR7wqVh
Llj+AApX2zJrdlDFjt6zdzcHvbHfSBnYB7t6x64yGgR9hLdGmbjIa/hB6NGu+LKQ
fl203KBFHF9yR8Mzs8OFPCJE2Ss3XA2lE+ylQDJMOO3dWS44DpluDH/r8otURyoE
uQPz+r8twVbDmwsrch2YS3RFIBDCxd97g6FAeM/5xFVAe0uClToMttOpKS60sXlt
bpaGe2ccRqtU1lgCv3p8mG62jQfURrMxJq+SZEwhUAu3J5vraqDzez5AgvX8RnZO
2u2lSNDBNYJXXxEyWvwfwwxQlI7MO+CQV4KJ/NSb1iuCFyxIRUeg/M07ES6gMqmc
+PNSM15SD1NnrBZwp5D1PsE9v/ADoG1DljcD/VSGMufr3ZILSISPDfXGflxss1ve
Bvsx55IeDndBNUViFT4Pd/oXTTpgPqZyZa4N6gAzXo9fXlQ7njT7OJgufege45u6
Kpfk+MwARFUuo46P+IUyylfBMN4v1QvO8rXpuouMamE76mb3PteaftuZAQZdBEDI
QvZOaDfW1AoNttiuC1iYXcHBeq8QqywbVjc9Zln6R6MfmDG5pEJoOdtDJCAzbHyf
Zlgph3FcCZpgb6Tr2BZA2Y8Rd1UWYG4mCnXXJUEtUJgVr3Wg5aGW9JXWj4xSSukL
K9KFFXPAOXTgYMecocisiQIcBAEBCgAGBQJU/zKGAAoJEObp5CVIyRLn+eAQAKxM
nJVtizHohqJZahf0EqedGII2Tv143IkWQM4GmlRJobTsHkXuJwSxTbzT5anF1L9V
VA9cQbyAfURAqcucULEx+udJG6G4bj8364u9Uwn7TChdNZOpej0c5xgCpqqEBuva
OEDcJHl7+5XOxxMm2jUllCOlZLLPbbaDGp6JMQ7NqC96gotvcvJNlAe4AFznFq4A
Z6xnE7Y7/F2EypSf2kplYdoHyxRmE0NZsIvC2VI3VR/nGmMKoxlVhXrxEArH2b3J
dYmqoIEfm+LKgCKEY23UK/r7jollSFsN/LIEF4QtAEGhayCSIa642wKp8t9vjahJ
YN/tCvkSsetZbnKI2lZLN1XXLXOi2OuMgxCH6dbZAwDTRERAwhGy/Wd3lfrExjhI
jpwX9jFgP3Nl5JYIC/+CLq1g3hvgv569v6gtxtUD4ONw66RUay3TH9SzOK+epWA6
OrPu9coiCQbGq7TqMHiUIrsgSOMUmQQlMmWI1gb9y9zX5sKGMmWMhfGbVJd9vpIW
RltuQQyZI25y3RVlVUNOTm2ynYw+b6mK/qMxgCD31n1FaCTzDy/GI9n4lPQCoVzR
IhCladcHejdRV06uPAP1UeD5Rmp47mEQl37tlQ6FN2KHnGHXRvNlcFGwT80gHQfs
whqPZ/hTMQAa3yqaBQIR/xd1YXruXRQVvvWXhFJR
=/o+g
-----END PGP SIGNATURE-----