sjlombardo/transition-statement.txt.asc

## transition-statement.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Date: April 23rd, 2014

For a number of reasons, I've recently set up a new OpenPGP key,
and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer all
future correspondence to come to the new one.  I would also like this
new key to be re-integrated into the web of trust.  This message is
signed by both keys to certify the transition.

The old key was:

pub   4096R/0x7CA502E93DB91BD9 2011-04-18
      Key fingerprint = C55C 52E1 723D 166A BD1F  64F1 7CA5 02E9 3DB9 1BD9

And the new key is:

pub   4096R/0x52E8883F1591F4CE 2014-04-22 [expires: 2017-04-21]
      Key fingerprint = D922 0490 1CD8 BFDF 63A2  D9F9 52E8 883F 1591 F4CE

To fetch the full key from a public key server, you can simply do:

  gpg --keyserver hkps.pool.sks-keyservers.net --recv-key '0x52E8883F1591F4CE'

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key. You can
do that by issuing the following command:

**
NOTE: if you have previously signed my key but did a local-only
signature (lsign), you will not want to issue the following, instead
you will want to use --lsign-key, and not send the signatures to the
keyserver
**

  gpg --sign-key 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

I'd like to receive your signatures on my key. You can either send me
an e-mail with the new signatures (if you have a functional MTA on
your system):

  gpg --export 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' | \
    gpg --encrypt -r 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' --armor | \
    mail -s 'OpenPGP Signatures' <sjlombardo@zetetic.net>


Additionally, I highly recommend that you implement a mechanism to keep your key
material up-to-date so that you obtain the latest revocations, and other updates
in a timely manner. You can do regular key updates by using parcimonie[0] to
refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
for each key. The purpose is to make it hard for an attacker to correlate the
key updates with your keyring.


I also highly recommend checking out the excellent Riseup GPG best
practices doc, from which I stole most of the text for this transition
message ;-)

https://we.riseup.net/debian/openpgp-best-practices

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.

Stephen Lombardo

0. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJTWA+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDNTVDNTJFMTcyM0QxNjZBQkQxRjY0RjE3
Q0E1MDJFOTNEQjkxQkQ5AAoJEHylAuk9uRvZ5vEP/ivR7L4LYYfYOGIiIoQMyjw9
mVQQbCe42oaV9OCjK2L+tv/U4GQ8MhjFQSvL2OX7at3VJ5DMl2QjxBqnWTW1atsj
tU7vCnZN/b+wZ2uBQvfi8VqsgycZubienCuCHSRVH5Bdj6r1LnOpXm4pP1ueybJ2
hgeBuRF3072a2uWY773UOrP3GkKbS+rk4taGtLM003oAfYee+oAv5+DvZyzlj3Is
tRnWVdR6WTBsEnXQ+2ZZqCYcpRRUQZx35xzEkvV/WupWnJGR+99GJVRvDTpU+Rcz
Ts3P0chFEwMOI73oQxq5CgYMsUstyfcAoebhFT6ISS+F0uV8cxyu+AOZOXp2XdmR
X4zORX5qJL3/9qWNbEGWeWEjgq3EJz924pSYDyoR1oru+TPsh7IxiuzJEzOpdkLc
K7J+ynvyMn1p94rRrSx0mbAabiTQdMhab/H+Vk0Pwm50kyvAqcDUFC0k9MIw2k0A
zJHuxXWM0iNGP8rD0illemsdnLZEuS/s2LF/9I+7s7UAytKLg2cdxKVwjRW/7rHy
EdEcBXzkJh9dvkbCxr9kZuiumAHoyrIg2C3+yp9IPMLCoDYDsgp71JFCrfRXIer5
mjR6yPXBiN3bVJ5Eio1bl7hmFDA9xlUi1ih8gr/vWVLVLIAwoNedfPxKVrXL9z3v
RqrbltJouG25pVFE+RSLiQH8BAEBCgBmBQJTWA++XxSAAAAAAC4AKGlzc3Vlci1m
cHJAbm90YXRpb25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyNjQ2RThFQ0Mw
MERBRjRDMkY2N0RCQ0QxOUEwNDU3RDA1RUE4MzUwAAoJEBmgRX0F6oNQ43UMAJSw
UBT4ry9QyxfYSJf662cipmtjdfnxkYremxKoXsxP+SgXkp39t4WAYE9J4sLXZxUi
YeqcOSwH8QEFz7H3lOq4YAan2khlcuC0ayJh8Rt6JHwLvVxsMRNyZShthDJkrvfg
RNwUi0s159y4crEGpNdFH6prFZpHL1mgg6W/LPsf2BRrE94msqpWaXeaNGl76WYO
JDcJU2BvG79fiuPWqz5nsvVqllFeD2KnxMetaI9qDofYVYWDF5Z3kr2xwD1KDaKQ
qbh9ZJMSQCghWScRKxTEfQ8qePHIfqvZ8xyLeqmdtXVFWnV00OHAVURUozJEErVI
hyWlqcvixZc9TJ/bXvook2d3P+njxn9Mqp6kifwnB8nSUxbS+xdPl25pWc6yXOG4
zgjX4WpZrpNdNdTNU4kt6u3y5819aU30lArNJLWTlPzRW27VwopjEOcEHx/YmqjK
mJXLcRDl30aIBfY8OPW6WdaMhPR4mcUxXZLzSJ7nLaHjNJj64m98zOKrF/w7pA==
=vSwD
-----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	Date: April 23rd, 2014

	For a number of reasons, I've recently set up a new OpenPGP key,
	and will be transitioning away from my old one.

	The old key will continue to be valid for some time, but I prefer all
	future correspondence to come to the new one. I would also like this
	new key to be re-integrated into the web of trust. This message is
	signed by both keys to certify the transition.

	The old key was:

	pub 4096R/0x7CA502E93DB91BD9 2011-04-18
	Key fingerprint = C55C 52E1 723D 166A BD1F 64F1 7CA5 02E9 3DB9 1BD9

	And the new key is:

	pub 4096R/0x52E8883F1591F4CE 2014-04-22 [expires: 2017-04-21]
	Key fingerprint = D922 0490 1CD8 BFDF 63A2 D9F9 52E8 883F 1591 F4CE

	To fetch the full key from a public key server, you can simply do:

	gpg --keyserver hkps.pool.sks-keyservers.net --recv-key '0x52E8883F1591F4CE'

	If you already know my old key, you can now verify that the new key is
	signed by the old one:

	gpg --check-sigs 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	If you don't already know my old key, or you just want to be double
	extra paranoid, you can check the fingerprint against the one above:

	gpg --fingerprint 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	If you are satisfied that you've got the right key, and the UIDs match
	what you expect, I'd appreciate it if you would sign my key. You can
	do that by issuing the following command:

	**
	NOTE: if you have previously signed my key but did a local-only
	signature (lsign), you will not want to issue the following, instead
	you will want to use --lsign-key, and not send the signatures to the
	keyserver
	**

	gpg --sign-key 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	I'd like to receive your signatures on my key. You can either send me
	an e-mail with the new signatures (if you have a functional MTA on
	your system):

	gpg --export 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' \| \
	gpg --encrypt -r 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' --armor \| \
	mail -s 'OpenPGP Signatures' <sjlombardo@zetetic.net>


	Additionally, I highly recommend that you implement a mechanism to keep your key
	material up-to-date so that you obtain the latest revocations, and other updates
	in a timely manner. You can do regular key updates by using parcimonie[0] to
	refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
	from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
	for each key. The purpose is to make it hard for an attacker to correlate the
	key updates with your keyring.


	I also highly recommend checking out the excellent Riseup GPG best
	practices doc, from which I stole most of the text for this transition
	message ;-)

	https://we.riseup.net/debian/openpgp-best-practices

	Please let me know if you have any questions, or problems, and sorry
	for the inconvenience.

	Stephen Lombardo

	0. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
	Comment: GPGTools - https://gpgtools.org

	iQJ8BAEBCgBmBQJTWA+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
	ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDNTVDNTJFMTcyM0QxNjZBQkQxRjY0RjE3
	Q0E1MDJFOTNEQjkxQkQ5AAoJEHylAuk9uRvZ5vEP/ivR7L4LYYfYOGIiIoQMyjw9
	mVQQbCe42oaV9OCjK2L+tv/U4GQ8MhjFQSvL2OX7at3VJ5DMl2QjxBqnWTW1atsj
	tU7vCnZN/b+wZ2uBQvfi8VqsgycZubienCuCHSRVH5Bdj6r1LnOpXm4pP1ueybJ2
	hgeBuRF3072a2uWY773UOrP3GkKbS+rk4taGtLM003oAfYee+oAv5+DvZyzlj3Is
	tRnWVdR6WTBsEnXQ+2ZZqCYcpRRUQZx35xzEkvV/WupWnJGR+99GJVRvDTpU+Rcz
	Ts3P0chFEwMOI73oQxq5CgYMsUstyfcAoebhFT6ISS+F0uV8cxyu+AOZOXp2XdmR
	X4zORX5qJL3/9qWNbEGWeWEjgq3EJz924pSYDyoR1oru+TPsh7IxiuzJEzOpdkLc
	K7J+ynvyMn1p94rRrSx0mbAabiTQdMhab/H+Vk0Pwm50kyvAqcDUFC0k9MIw2k0A
	zJHuxXWM0iNGP8rD0illemsdnLZEuS/s2LF/9I+7s7UAytKLg2cdxKVwjRW/7rHy
	EdEcBXzkJh9dvkbCxr9kZuiumAHoyrIg2C3+yp9IPMLCoDYDsgp71JFCrfRXIer5
	mjR6yPXBiN3bVJ5Eio1bl7hmFDA9xlUi1ih8gr/vWVLVLIAwoNedfPxKVrXL9z3v
	RqrbltJouG25pVFE+RSLiQH8BAEBCgBmBQJTWA++XxSAAAAAAC4AKGlzc3Vlci1m
	cHJAbm90YXRpb25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyNjQ2RThFQ0Mw
	MERBRjRDMkY2N0RCQ0QxOUEwNDU3RDA1RUE4MzUwAAoJEBmgRX0F6oNQ43UMAJSw
	UBT4ry9QyxfYSJf662cipmtjdfnxkYremxKoXsxP+SgXkp39t4WAYE9J4sLXZxUi
	YeqcOSwH8QEFz7H3lOq4YAan2khlcuC0ayJh8Rt6JHwLvVxsMRNyZShthDJkrvfg
	RNwUi0s159y4crEGpNdFH6prFZpHL1mgg6W/LPsf2BRrE94msqpWaXeaNGl76WYO
	JDcJU2BvG79fiuPWqz5nsvVqllFeD2KnxMetaI9qDofYVYWDF5Z3kr2xwD1KDaKQ
	qbh9ZJMSQCghWScRKxTEfQ8qePHIfqvZ8xyLeqmdtXVFWnV00OHAVURUozJEErVI
	hyWlqcvixZc9TJ/bXvook2d3P+njxn9Mqp6kifwnB8nSUxbS+xdPl25pWc6yXOG4
	zgjX4WpZrpNdNdTNU4kt6u3y5819aU30lArNJLWTlPzRW27VwopjEOcEHx/YmqjK
	mJXLcRDl30aIBfY8OPW6WdaMhPR4mcUxXZLzSJ7nLaHjNJj64m98zOKrF/w7pA==
	=vSwD
	-----END PGP SIGNATURE-----