sjlombardo · April 23, 2014 20:16
diff --git a/transition-statement.txt.asc b/transition-statement.txt.asc
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 Date: April 23rd, 2014

 For a number of reasons, I've recently set up a new OpenPGP key,
 and will be transitioning away from my old one.

 The old key will continue to be valid for some time, but I prefer all
 future correspondence to come to the new one.  I would also like this
 new key to be re-integrated into the web of trust.  This message is
 signed by both keys to certify the transition.

 The old key was:

 pub   4096R/0x7CA502E93DB91BD9 2011-04-18
      Key fingerprint = C55C 52E1 723D 166A BD1F  64F1 7CA5 02E9 3DB9 1BD9

 And the new key is:

 pub   4096R/0x52E8883F1591F4CE 2014-04-22 [expires: 2017-04-21]
      Key fingerprint = D922 0490 1CD8 BFDF 63A2  D9F9 52E8 883F 1591 F4CE

 To fetch the full key from a public key server, you can simply do:

  gpg --keyserver hkps.pool.sks-keyservers.net --recv-key '0x52E8883F1591F4CE'

 If you already know my old key, you can now verify that the new key is
 signed by the old one:

  gpg --check-sigs 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

 If you don't already know my old key, or you just want to be double
 extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

 If you are satisfied that you've got the right key, and the UIDs match
 what you expect, I'd appreciate it if you would sign my key. You can
 do that by issuing the following command:

 ** 
 NOTE: if you have previously signed my key but did a local-only
 signature (lsign), you will not want to issue the following, instead
 you will want to use --lsign-key, and not send the signatures to the
 keyserver
 **

  gpg --sign-key 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

 I'd like to receive your signatures on my key. You can either send me
 an e-mail with the new signatures (if you have a functional MTA on
 your system):

  gpg --export 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' | \
    gpg --encrypt -r 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' --armor | \
    mail -s 'OpenPGP Signatures' <[email protected]>


 Additionally, I highly recommend that you implement a mechanism to keep your key
 material up-to-date so that you obtain the latest revocations, and other updates
 in a timely manner. You can do regular key updates by using parcimonie[0] to
 refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
 from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
 for each key. The purpose is to make it hard for an attacker to correlate the
 key updates with your keyring.


 I also highly recommend checking out the excellent Riseup GPG best
 practices doc, from which I stole most of the text for this transition
 message ;-)

 https://we.riseup.net/debian/openpgp-best-practices

 Please let me know if you have any questions, or problems, and sorry
 for the inconvenience.

 Stephen Lombardo

 0. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - https://gpgtools.org

 iQJ8BAEBCgBmBQJTWA+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
 ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDNTVDNTJFMTcyM0QxNjZBQkQxRjY0RjE3
 Q0E1MDJFOTNEQjkxQkQ5AAoJEHylAuk9uRvZ5vEP/ivR7L4LYYfYOGIiIoQMyjw9
 mVQQbCe42oaV9OCjK2L+tv/U4GQ8MhjFQSvL2OX7at3VJ5DMl2QjxBqnWTW1atsj
 tU7vCnZN/b+wZ2uBQvfi8VqsgycZubienCuCHSRVH5Bdj6r1LnOpXm4pP1ueybJ2
 hgeBuRF3072a2uWY773UOrP3GkKbS+rk4taGtLM003oAfYee+oAv5+DvZyzlj3Is
 tRnWVdR6WTBsEnXQ+2ZZqCYcpRRUQZx35xzEkvV/WupWnJGR+99GJVRvDTpU+Rcz
 Ts3P0chFEwMOI73oQxq5CgYMsUstyfcAoebhFT6ISS+F0uV8cxyu+AOZOXp2XdmR
 X4zORX5qJL3/9qWNbEGWeWEjgq3EJz924pSYDyoR1oru+TPsh7IxiuzJEzOpdkLc
 K7J+ynvyMn1p94rRrSx0mbAabiTQdMhab/H+Vk0Pwm50kyvAqcDUFC0k9MIw2k0A
 zJHuxXWM0iNGP8rD0illemsdnLZEuS/s2LF/9I+7s7UAytKLg2cdxKVwjRW/7rHy
 EdEcBXzkJh9dvkbCxr9kZuiumAHoyrIg2C3+yp9IPMLCoDYDsgp71JFCrfRXIer5
 mjR6yPXBiN3bVJ5Eio1bl7hmFDA9xlUi1ih8gr/vWVLVLIAwoNedfPxKVrXL9z3v
 RqrbltJouG25pVFE+RSLiQH8BAEBCgBmBQJTWA++XxSAAAAAAC4AKGlzc3Vlci1m
 cHJAbm90YXRpb25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyNjQ2RThFQ0Mw
 MERBRjRDMkY2N0RCQ0QxOUEwNDU3RDA1RUE4MzUwAAoJEBmgRX0F6oNQ43UMAJSw
 UBT4ry9QyxfYSJf662cipmtjdfnxkYremxKoXsxP+SgXkp39t4WAYE9J4sLXZxUi
 YeqcOSwH8QEFz7H3lOq4YAan2khlcuC0ayJh8Rt6JHwLvVxsMRNyZShthDJkrvfg
 RNwUi0s159y4crEGpNdFH6prFZpHL1mgg6W/LPsf2BRrE94msqpWaXeaNGl76WYO
 JDcJU2BvG79fiuPWqz5nsvVqllFeD2KnxMetaI9qDofYVYWDF5Z3kr2xwD1KDaKQ
 qbh9ZJMSQCghWScRKxTEfQ8qePHIfqvZ8xyLeqmdtXVFWnV00OHAVURUozJEErVI
 hyWlqcvixZc9TJ/bXvook2d3P+njxn9Mqp6kifwnB8nSUxbS+xdPl25pWc6yXOG4
 zgjX4WpZrpNdNdTNU4kt6u3y5819aU30lArNJLWTlPzRW27VwopjEOcEHx/YmqjK
 mJXLcRDl30aIBfY8OPW6WdaMhPR4mcUxXZLzSJ7nLaHjNJj64m98zOKrF/w7pA==
 =vSwD
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	Date: April 23rd, 2014

	For a number of reasons, I've recently set up a new OpenPGP key,
	and will be transitioning away from my old one.

	The old key will continue to be valid for some time, but I prefer all
	future correspondence to come to the new one. I would also like this
	new key to be re-integrated into the web of trust. This message is
	signed by both keys to certify the transition.

	The old key was:

	pub 4096R/0x7CA502E93DB91BD9 2011-04-18
	Key fingerprint = C55C 52E1 723D 166A BD1F 64F1 7CA5 02E9 3DB9 1BD9

	And the new key is:

	pub 4096R/0x52E8883F1591F4CE 2014-04-22 [expires: 2017-04-21]
	Key fingerprint = D922 0490 1CD8 BFDF 63A2 D9F9 52E8 883F 1591 F4CE

	To fetch the full key from a public key server, you can simply do:

	gpg --keyserver hkps.pool.sks-keyservers.net --recv-key '0x52E8883F1591F4CE'

	If you already know my old key, you can now verify that the new key is
	signed by the old one:

	gpg --check-sigs 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	If you don't already know my old key, or you just want to be double
	extra paranoid, you can check the fingerprint against the one above:

	gpg --fingerprint 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	If you are satisfied that you've got the right key, and the UIDs match
	what you expect, I'd appreciate it if you would sign my key. You can
	do that by issuing the following command:

	**
	NOTE: if you have previously signed my key but did a local-only
	signature (lsign), you will not want to issue the following, instead
	you will want to use --lsign-key, and not send the signatures to the
	keyserver
	**

	gpg --sign-key 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE'

	I'd like to receive your signatures on my key. You can either send me
	an e-mail with the new signatures (if you have a functional MTA on
	your system):

	gpg --export 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' \| \
	gpg --encrypt -r 'D92204901CD8BFDF63A2D9F952E8883F1591F4CE' --armor \| \
	mail -s 'OpenPGP Signatures' <[email protected]>


	Additionally, I highly recommend that you implement a mechanism to keep your key
	material up-to-date so that you obtain the latest revocations, and other updates
	in a timely manner. You can do regular key updates by using parcimonie[0] to
	refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring
	from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits
	for each key. The purpose is to make it hard for an attacker to correlate the
	key updates with your keyring.


	I also highly recommend checking out the excellent Riseup GPG best
	practices doc, from which I stole most of the text for this transition
	message ;-)

	https://we.riseup.net/debian/openpgp-best-practices

	Please let me know if you have any questions, or problems, and sorry
	for the inconvenience.

	Stephen Lombardo

	0. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
	Comment: GPGTools - https://gpgtools.org

	iQJ8BAEBCgBmBQJTWA+9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
	ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDNTVDNTJFMTcyM0QxNjZBQkQxRjY0RjE3
	Q0E1MDJFOTNEQjkxQkQ5AAoJEHylAuk9uRvZ5vEP/ivR7L4LYYfYOGIiIoQMyjw9
	mVQQbCe42oaV9OCjK2L+tv/U4GQ8MhjFQSvL2OX7at3VJ5DMl2QjxBqnWTW1atsj
	tU7vCnZN/b+wZ2uBQvfi8VqsgycZubienCuCHSRVH5Bdj6r1LnOpXm4pP1ueybJ2
	hgeBuRF3072a2uWY773UOrP3GkKbS+rk4taGtLM003oAfYee+oAv5+DvZyzlj3Is
	tRnWVdR6WTBsEnXQ+2ZZqCYcpRRUQZx35xzEkvV/WupWnJGR+99GJVRvDTpU+Rcz
	Ts3P0chFEwMOI73oQxq5CgYMsUstyfcAoebhFT6ISS+F0uV8cxyu+AOZOXp2XdmR
	X4zORX5qJL3/9qWNbEGWeWEjgq3EJz924pSYDyoR1oru+TPsh7IxiuzJEzOpdkLc
	K7J+ynvyMn1p94rRrSx0mbAabiTQdMhab/H+Vk0Pwm50kyvAqcDUFC0k9MIw2k0A
	zJHuxXWM0iNGP8rD0illemsdnLZEuS/s2LF/9I+7s7UAytKLg2cdxKVwjRW/7rHy
	EdEcBXzkJh9dvkbCxr9kZuiumAHoyrIg2C3+yp9IPMLCoDYDsgp71JFCrfRXIer5
	mjR6yPXBiN3bVJ5Eio1bl7hmFDA9xlUi1ih8gr/vWVLVLIAwoNedfPxKVrXL9z3v
	RqrbltJouG25pVFE+RSLiQH8BAEBCgBmBQJTWA++XxSAAAAAAC4AKGlzc3Vlci1m
	cHJAbm90YXRpb25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyNjQ2RThFQ0Mw
	MERBRjRDMkY2N0RCQ0QxOUEwNDU3RDA1RUE4MzUwAAoJEBmgRX0F6oNQ43UMAJSw
	UBT4ry9QyxfYSJf662cipmtjdfnxkYremxKoXsxP+SgXkp39t4WAYE9J4sLXZxUi
	YeqcOSwH8QEFz7H3lOq4YAan2khlcuC0ayJh8Rt6JHwLvVxsMRNyZShthDJkrvfg
	RNwUi0s159y4crEGpNdFH6prFZpHL1mgg6W/LPsf2BRrE94msqpWaXeaNGl76WYO
	JDcJU2BvG79fiuPWqz5nsvVqllFeD2KnxMetaI9qDofYVYWDF5Z3kr2xwD1KDaKQ
	qbh9ZJMSQCghWScRKxTEfQ8qePHIfqvZ8xyLeqmdtXVFWnV00OHAVURUozJEErVI
	hyWlqcvixZc9TJ/bXvook2d3P+njxn9Mqp6kifwnB8nSUxbS+xdPl25pWc6yXOG4
	zgjX4WpZrpNdNdTNU4kt6u3y5819aU30lArNJLWTlPzRW27VwopjEOcEHx/YmqjK
	mJXLcRDl30aIBfY8OPW6WdaMhPR4mcUxXZLzSJ7nLaHjNJj64m98zOKrF/w7pA==
	=vSwD
	-----END PGP SIGNATURE-----