I’ve been using OpenPGP for email signing (and very rarely for email encryption) for ages. In fact, the key that I’ve been using so far is from 2001:
Key ID: FA817B97927965CA
Fingerprint: E434 42D9 61CA EABF D4BF 36AC FA81 7B97 9279 65CA
This key (actually two sub-keys, one for signing, one for encryption) has a fairly low size by today’s standards. I’ve been aware of this for ages, but I’ve also been too lazy to roll out a new key. Well, until today. So, here is the new one finally:
Key ID: AA3FBEFBE3D75E3B
Fingerprint: 956F 3271 E9B2 8A45 A03C 35F1 AA3F BEFB E3D7 5E3B
It’s also signed with the old key, so if you trusted that, you can trust the new one, too. I’ve already configured my email client to use the new key from now on. And I will mark the old one as expired or revoked eventually…
One reason that I’ve been putting off key-rotation for so long: using OpenPGP, GnuPG, and similar has always seemed such a hassle. And I’m afraid that this has not improved much in the year 2023. Today, I’ve been wrestling with crashing CLI and desktop tools for OpenPGP, numerous error messages, discontinued key servers, etc. Yes, I know that SHA1 is considered insecure. But why should its use in the signatures on my old key keep me from using the old key to sign the new key? This is all still way too frustrating…