-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1,SHA512 From: Tanguy Ortolo Subject: Changing OpenPGP key Summary: I am replacing my old OpenPGP key E4E3687B by the new key 4B10D847 Date: Fri, 16 Apr 2010 22:51:00 +0200 Dear netizens, To use stronger encryption algorithms, I set up a new OpenPGP key in replacement of my old one. As the owner of both keys, I signed this message to certify this transition. The old key will continue to be valid for some time, but I would prefer to use the new key for all future correspondence. I would also like to integrate this new key into the web of trust. My old key was: pub 1024D/E4E3687B 2006-06-09 Key fingerprint = E445 130A E00E 6F53 1E31 ACC5 79FA B512 E4E3 687B And my new key is: pub 4096R/4B10D847 2010-04-14 Key fingerprint = 240B BA15 B694 DD00 E380 30D8 D6EF A6AC 4B10 D847 You can get this key with: $ gpg --keyserver keys.ortolo.eu --recv-key 4B10D847 or, from any public key server: $ gpg --keyserver keys.gnupg.net --recv-key 4B10D847 If you already have my old key, you can check that I signed the new key with the old one: $ gpg --check-sigs 4B10D847 If you are satisfied, you may sign my new key and send me this new signature: $ gpg --sign-key 4B10D847 $ gpg --armor --export 4B10D847 | mail -s 'Your signed PGP key' tanguy@ortolo.eu - -------------------------------------------------------------------------------- I, Tanguy Ortolo, owner of the OpenPGP private key of identifier E4E3687B, hereby declare: • that the public key of identifier E4E3687B should not be used anymore; • that I have private key of identifier 4B10D847 at my disposal, and that nobody else has access to it as far as I know; • that the public key of identifier 4B10D847 can and must be used in place of the public key of identifier E4E3687B. - -------------------------------------------------------------------------------- Criticism - --------- I suggest that you sign my new key without having asked you in a direct meeting. So here is an analysis of the possibilities that this request is corrupted. For clarity reasons, I shall speak of myself on the third person. Someone, using the name of Tanguy Ortolo, pretends that the key 4B10D847 is owned by this one. This declaration is signed by the key E4E3687B that Tanguy owns. What could be wrong? 1. The author of this declaration could not be Tanguy Ortolo. This declaration is signed by the key E4E3687B that he owns, thus, in that case: 1.1. this key could have been broken: this is a risk that is inherent to the encryption system and not specific to this request; 1.2. the author of this declaration could have stolen the key E4E3687B to Tanguy: in that case it is his fault as he did not protect his key enough, and if you obey to this request, the harm caused will be his responsibility, not your one; 1.3. the author of this declaration could have got the key E4E3687B from Tanguy himself: here again, it would be his fault, not yours. 2. Tanguy may not own the new key 4B10D847. Tanguy Ortolo, or someone by his fault, declares that this one own the key, so if it is not the case, either Tanguy knows it or he ignores it: 2.1. Tanguy could have signed a false declaration: in that case it is his fault, and if you obey to this request, that harm caused will be his responsibility, not your one; this case is also possible for requests made during direct meetings; 2.2. Tanguy could have let someone else have access to the new private key 4B10D847, or have lost it: here again, it would be his fault and this case can occur during direct meetings requests. I think I have covered all the existing problematic cases – if you find other ones, do not hesitate to signal them to me –: if you obey to this request whereas you should not, the responsibility goes to Tanguy Ortolo or to the weakness of the cryptographic system, but not to you. I let you think about the possible consequences of your signature on my new public key – if you must not sign a key too quickly, keep in mind that you can always revoke your signatures in case of problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkvI0oUACgkQefq1EuTjaHspPACggmhauo8aRVKeg9/xhhLdXZ21 NlEAn0x/PxDF4A3sQpeD89U3xzt+OtaBiQIcBAEBCgAGBQJLyNKFAAoJENbvpqxL ENhHkPIQAKsgyxqb8q6/swSWP17lBOmcqody1yJ3UernIFW5gh22itMEoIg9dxef +koeK5PBQEGiOsaDHn4e2jrGSXycqKWg1h30Nsi7Z7cK/0R8UWbYwaZVyDfYE1xC S0slqaNnxbzb+w8agvGYU2WbzECN+R6sYcPAOUQ6aCd9W7QSa/vDRNhL5NOuxecT hjL7nKO+kvdLBzbnOMJLfhZwR1WNJznJBM3C9j6AnmuFrMcuUozkqFh1Ix9Lz6lU FSqFLo1Ts1qphdH2ThuZppWaC7iWQxikm5XwvBjn1haQVMV6w7NxtxO84Kudx/eJ msqT7tHLgQ5qw8LGFwMkIfeTc2TnpETxKfU8Z4O3scR6KKSFLoed0yD8RiLD+ATB 5uBLB+SucLzgw9O2mxYuxMs6EiqlwsQcg5vZqAQ1+lKUzGn+GDqkK3R++i/XCjtA 6iBQklj7q0DlssGMzfUfZPukDxWXXsb5B9BLPcsHVQFt4rHfiM7Jx24EISyfrBF8 1uNnkD3MsjRmABdq0QmgXP2TjXgjAo8bH1ZB1m+Hrb3D5PWcbccnCIR97JB3ro+Y JYglUmgDpNTYkXBbY39Y5rsK/MwMH8df36RIHRtvSO7hLN17isl3XVLPDqYEVl/e UfllCGGga46uc728B96dzejzqDDVvY83t4kBKKnueKfp2T2TFFKq =TfzV -----END PGP SIGNATURE-----