September 29, 2019

PGP Key Updated

Just a quick note that I have updated my PGP key. The fingerprint and signing key are the same! I have only updated the encryption key.

Why would I do this? Well, to provide some manner of forward security. By rotating the encryption key, anyone who successfully compromised my key earlier will not have access to any messages sent to me with the new key. If someone compromises this key, they will not have access to messages sent years ago.

Just The Facts

The file on this server has been updated: link That same folder has a signature for that file, done with the private key. sig This only proves that I control the private key, but if you trust the root key id already: it might suffice.

Encryption Key Policy

My PGP key uses a subkey for encryption, which is how I can change that part without changing the fingerprint/id/etc. The subkey has an expiration date, of 60 days after it is issued. I will keep the expired subkey for 60 days after it is revoked and then I will remove the subkey from the key entirely. This allows me to still read messages sent by people who don’t update right away.

If you are refreshing my key from the servers periodically (please do!) you should be fine. The file on this server is updated when I change the subkeys as well (see below).

Why 60 days?

No reason. Really! 60 days should be long enough that I am not bugging people to update the key constantly, but short enough to limit any potential compromise. Also, who reads emails that are 60 days old anyway?!

Additional Locations

I am stevemal on Keybase. My key is available directly at: https://keybase.io/stevemal/pgp_keys.asc

I’ve updated hkps://hkps.pool.sks-keyservers.net from the command line, but it takes a bit to propagate.

Any locations I missed? email me! (email address should be apparent from the key!)


Like this? Please Share it:

© Steven Malins 2019