-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA256 2010-06-12 16:52:30 UTC In light of fairly serious attacks against the SHA-1 digest algorithm, general consensus among the cryptographic community holds that we should be deprecating SHA-1 where possible with an eye toward abandoning it soon. Even the USA's National Institute of Standards and Technology decreed nearly six years ago: "NIST encourages a rapid adoption of the SHA-2 hash functions for digital signatures, and, in any event, Federal agencies must stop relying on digital signatures that are generated using SHA-1 by the end of 2010." - NIST Comments on Cryptanalytic Attacks on SHA-1, William E. Burr, NIST Security Technology Group Manager, 2004-08-25 Further, the Digital Signature Algorithm (DSA) in its original form only allows maximum 1024-bit asymmetric keys, and the signature process itself signs a 160-bit hash officially specified as SHA-1. This means that 1024-bit DSA keys should be phased out as well. In light of the above, I've recently created a new OpenPGP key and will be transitioning away from my old one. My old key should still continue to be valid for some time, but I prefer all future correspondence to come to the new one. I'd also like this new key to be re-integrated into the Web of Trust. This message is signed by both keys to certify the transition. My old key was: pub 1024D/1FB84657 2001-01-20 Key fingerprint = 9E8D FF2E 4F59 95F8 FEAD DC58 29AB F744 1FB8 4657 And my new key is: pub 4096R/43495829 2010-06-12 Key fingerprint = 97AE 496F C02D EC9F C353 B2E7 48F9 9611 4349 5829 To fetch the full key (including a photo UID, which is commonly stripped by public keyservers): wget -q -O- http://fungi.yuggoth.org/ | gpg --import - Or, to fetch my new key from a public key server, you can simply do: gpg --keyserver pgp.mit.edu --recv-key 43495829 If you already know my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs 43495829 If you don't already know my old key, you can check the fingerprint against the one above: gpg --fingerprint 43495829 If you're satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate if you would sign it too: gpg --sign-key 43495829 You can either send me an e-mail with the new signatures (if you have a functional MTA on your system): gpg -a --export 43495829 | mail -s'openpgp sig' fungi@yuggoth.org ...or you can just upload the signatures to a public keyserver directly: gpg --keyserver pgp.mit.edu --send-key 43495829 As always, many thanks and apologies for the inconvenience! - -- { IRL(Jeremy_Stanley); PGP(97AE496FC02DEC9FC353B2E748F9961143495829); SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org); MUD(kinrui@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwTyjoACgkQKav3RB+4RleRtACeJuh9h4JGFX4wfzFyUculiNZF I+AAn1ZxcyQGmcONA3ZYFk0nOssvrl4ziQIcBAEBCAAGBQJME8o6AAoJEEj5lhFD SVgpkNUQAKIbmXSAXtvJd4wneWyRxE5bMBl9QxHteVoNcjA+AG/xs5uF8U7G6fUS c3z9754PceKDMeNEhvFGZ743hVgyTMTSNM7eH5iefZaBUbQwfiVNbYJFwHcTZvgM JkquS/pQV2nZSMkppuRYpBfhFNh3IE7MU5+JSFUJLVGWhVBsrIVVvPhmSheJ2YVg IRm4hQ0mjqs7pY0VCc5TB8Ae9VD/ke7NwCyEtqinC4UGG264/jD+o9CXehLnK02a u/9VVZDVcqnSgC5ALyplBtKkSobpYnmJvlgICC3U9hVVrJA+VoYgaTRrQW1t4UkV 33pR4VMKxUo6xS2/o/Lb/KEQ4iXhKwvcKrCJqh4p52FoTmHlh5GopVqymzxcOa2U n8bTkuEU+RRGKGxQ8R7SejHu5qtxpj18Qn3hHh/HXm8ihbE2fQpmG2FY9rrEw7RE Ou3GRRBQSb+vuWyy4//Qj6xbW8EW3YUCA9a8xDQErXx5NYmIrjmC0K6aISswjByn 3ZnvZ16MGMkJKhBlGmt5wyK5Rx4AZlalk/SI6xxm5991nCFIuL2iKYpWeR89/764 Jj0cVoH3a4tQEZEiTKnWkmjnVMYjbrIzsUV6U1rNp28i2f1emu+YcOwoIdzjwc4U XuKC9rujOi/ynvQ582fHP8lZnS13oV6xuHKmxzOaJyGgn0JslEEq =sKO+ -----END PGP SIGNATURE-----