Hello On Thursday 21 May 2009 11:35:44 Allen Schultz wrote: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one.
> This message is signed by > both keys to certify the > transition. I have not recieved signatures with your mail, but Charly's reply implicates that there is a signature, though it does not validate. I have switched to a new mail system, I hope it does not strip away signatures :-/ > If you already know my old key, you can now verify that the new > key is > signed by the old one: > > gpg --check-sigs DAD4736B I believe (an I think others do too) it is good praxis to not sign new keys even if you have signed the old one and the new key is signed by the old one, without personally checking with the keyholder first. After all, the new key could have been compromised. > If you don't already know my old key, or you just want to be > double > extra paranoid, you can check the fingerprint against the one > above: > > gpg --fingerprint DAD4736B If someone does _not_ know the old key, checking the fingerprint against an untrusted source like an eMail is certainly not enough. It is crucial for the web of trust that key/UID combinations are only signed after the fingerpint has been confirmed by the keyholder in person, and the UID has been checked against an official identification. I think the best way to have your new key integrated in the web of trust is to visit a keysigning party, or to look up key signers in your area at biglumber.com. Raimar
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users