Second Serie | Part 17 : Key transition
It happens a moment in the life of a man, where he has to shift his keys.
There are all sorts of good reasons to renew your GPG keys. Like, you have too much sub-keys, some out of validity while some others are still valid, or the software has gone to a new major version with better algorithms. Or the key is simply too old.
But you have to do it orderly. Otherwise you might just break all your web of trust. As a consequence, you need to make a transition.
Procedure
First of all, you need to create a new pair of keys.
Then, you sign the old key with the new one and the new with the old one, and send them on keyservers if you do so.
By cross-signing, you allow your fellow contacts to progressively know about your new key. Seeing it is signed with the one they know, they will understand easily that you have a new key (because it is just the dumbest case of Web of Trust).
You should also write a «transition memo» as some you’ll find in the web. This allow righteous persons to assess your seriousness.
Step by step procedure
- Create a new pair of keys.
- Cross-sign the keys (sign the new one with the old one and reverse).
- Modify the validity date on your old key.
- Send/Update the two keys on keyservers.
- Write a transition memo containing your keys’ characteristics (fingerprints, validity periods, when you stop using the old key…) which you sign again with both keys.
- Send this document, with the signatures obviously, by mail to your regular contacts. This way, they will know of your key and will accept it in their keyring.
- Ask in that transition memo that people who previously signed your key do so with the new one.
Reading the memo, they might think you did a great job and sign the second key. - If possible, publish this transition memo somewhere, on a public website, ideally yours. It might be weird but a facebook page could be a good place for such.
All versions of this memo should include both keys’ fingerprints and the validity date of the old key. If possible, the signature files should be available to download at an URL mentioned in the memo itself.