Re: How to upgrade my gpg key to debian standards?
Hi,
>I am looking at upgrading my gpg key.
>
>What parameters should I use?
>
>Is there a standard way to get all the people that signed
>the old key to sign the new key?
some general answering should tell that it is up to the developers to
sign the new one, or ask you to meet in person.
"trust" in this case depends on many factors, some of them are just human :)
is the old key too weak to still be considered secure?
yes: I'm afraid you should try to use an additional channel to ask them to resign
a new one (e.g. text them with mobile phone, skype call, or something else)
no: (this is what I did)
GPG1 old key (signed by him)
GPG2 new one (not signed)
Send an email signed by GPG1 and attach a text file with the same mail content but signed inline
with key 2
so, the developer will see the same content signed with both keys, and will probably accept
that as secure enough method
some text might be
"Hi, we meet in A, you signed my key GPG1 full fingerprint, now I'm changing it with a new GPG2 full fingerprint
and I would like to ask you to sign it, and I'm attaching the same content signed with the new key, to
let you know I'm the owner of it, of course since you already have my phone number XXX and my skype/whatever
you can just drop me a text/videocall to make sure its me to ask this"
In my case I was replacing a 2k key with a 4k one, so I got some signatures with not many troubles
spamming on irc with my account, with whatsapp/text/skype in other cases was enough to make sure they were
trusting me.
But that said, it really depends on them, and on your process to make them confident that you are the owner/requester
for the different signing.
I hope this helps, maybe this should be reviewed by somebody authoritative and put on a wiki,
I'm not aware of such "standardized" process
Gianfranco
Reply to: