Re: Alec Leamas: Declaration of intent to become a DM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Date: May 13, 2022
I'm currently in the process of becoming a Debian Maintainer, which
requires me to have a key with at least 4096 bits. Since my current key
is based on just 2048 bits, I have created a new 4096-bits and will
transition to use this instead of my old one.
The old key will continue to be valid for some time, but I prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust. This message is
signed by both keys to certify the transition.
The old key was:
pub rsa2048 2015-10-08 [SC] [expires: 2022-10-05]
C145797379871C082A9DFDB50A1DA7134E068B4C
And the new key is:
pub rsa4096 2022-05-12 [SC] [expires: 2023-05-12]
E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C
To fetch the new full key from a public key server, you can simply do:
gpg --keyserver keys.riseup.net --recv-key \
E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C
If you already know my old key, you can now verify that the new key is
signed by the old one:
gpg --check-sigs E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C
If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:
gpg --fingerprint E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C
If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key. You can
do that by issuing the following command:
**
NOTE: if you have previously signed my key but did a local-only
signature (lsign), you will not want to issue the following, instead
you will want to use --lsign-key, and not send the signatures to the
keyserver
**
gpg --sign-key E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C
I'd like to receive your signatures on my key. You can either send me
an e-mail with the new signatures (if you have a functional MTA on
your system):
gpg --export E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C | \
gpg --encrypt -r E2EA41DCE2F8A99AD17A1E463A67D5D966D15C5C --armor | \
mail -s 'OpenPGP Signatures' leamas.alec@gmail.com
Additionally, I highly recommend that you implement a mechanism to keep
your key
material up-to-date so that you obtain the latest revocations, and other
updates
in a timely manner. You can do regular key updates by using parcimonie[1] to
refresh your keyring. Parcimonie is a daemon that slowly refreshes your
keyring
from a keyserver over Tor. It uses a randomized sleep, and fresh tor
circuits
for each key. The purpose is to make it hard for an attacker to
correlate the
key updates with your keyring.
I also highly recommend checking out:
https://riseup.net/openpgp/best-practices
Please let me know if you have any questions, or problems, and sorry
for the inconvenience.
Alec Leamas
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEwUV5c3mHHAgqnf21Ch2nE04Gi0wFAmJ+H/AACgkQCh2nE04G
i0x/+wgAz7Qnvt426A8/24q8ABLClhqdmpG0QEsoX7Lvvz/ePfhWkbXaD/QZ+IW4
An4DO7B0N6sJjSfbjhs5j+hCTIHPqKarIY6cJA6M7cvndyzLLONnv4KFYNv9y3ie
NTEQZ8+JMoX8Iow8w8u4GlKHAjmn6FvaLvRwoQUTyYi8Dcxvul2H9dxhpiW5rxWe
lXs0ly4B7g5HzwFAnDOZ6vz+N1tPzIER71mGSBFo3zFQSk3leYEq6F6aY7dRvseu
babEx03LcI8hpSYu9chUaWMXq3/cuOOFvNbt48b+q4uREDscItrPrGy5Ucsz9jWt
9TXAGcM55ydJY+f9R/Bzicsh5DGJj4kCMwQBAQgAHRYhBOLqQdzi+Kma0XoeRjpn
1dlm0VxcBQJifh/wAAoJEDpn1dlm0VxcIbYP/2D+MsCEiqU5mS8AIqSPGDKHeGte
eI/5WRJN5KHs9tA5Q26Hn9SZrUAkEJWB9tBzcICkKJtDHvAmL97/1cvK5huvwxho
iqXTCZw7+sRzUw8hmKc2MIFiSyd9k0qMKCQlXaodKqI7o1/lR+tNSnMOnyyLQqRa
MFHB1fiR9422VTa52cmU03g/02diwDq2sZk3yUlMuVfgucRg049qw2BqtQTuPkHK
qPBCAqAYBuUjxE3F//B2QLQ7yhQs3ttKkjT4JUeSIKco1+4Jl1eow0tL4iSNpFzM
ifnv8huGp6zrOapIC5QPUYfbBey4YY4MXSjVJd28FoLVH94lcLRgvQZZZsTYFPXN
3JeC3XK1Hj7S8vGqUgYD9OsWjJ0EQywOR54bwuloH4BMJpLnJ5G19wB9a/gHYqhh
y1cigvcg4fIuf7C+vLxeZ4u4Hk4BU6S28VQE7KUnunBbc3vo/QI4VEbl/7F8uNDy
aaguLq9k4FuxzHUdcDDX50t6Tq35YG+Tf5p0XAiDjZDtV2tHivp7Xuj2LVkPgHfF
mfoR2kmIqSSRSCSNHDvCW1UyDqimA9R8mfWDJtIDBXObF/j58pauF/gjhag2KAtn
+1/qbpy3vafmIUSytA5B5FiMKi7MYaEPwCygrI5tu54KJ2AxvcfHmNXZRHIlZdbw
pf/oqCWnUGnEaBYT
=UiYi
-----END PGP SIGNATURE-----
Reply to: