![Joi Ito [logo]](/_site/img/joi-ito-logo-300.png){kind=logo}
I just uploaded my PGP Key because Cyrus mentioned that I didn't have one my web page. It's quite an old key that I created in 1997. The good thing is that it's signed by many people. The bad thing is that since it has been sitting around for a long time, It's more likely to have been stolen. So I'm trying to figure out whether I should dump the key and start using a new one. I have made a new one, but no one has signed it and I never end up using it. It's also kind of a pain for people when you have multiple keys...
Make dated announcement of key transition, including both old and new public keys.
Sign key transition announcement with both old and new private keys, seeding new key with trust from old key.
Any compromisers of old key must now advertise their key fork. Conflict resolution for competing new keys (real vs fake) can be done with your physical appearance at key signing event for new key, where other public "trusted" keys sign new key (and implicitly, the "real" key transition).
Some people can address old key, but they now accept risk, due to your dated public announcement of transition from old key to new key.
Other people can address new key. Their risk acceptance depends on their verification of transition from old key to new key.
Your prior correspondent is right on the mark. I am going through this as well, and have decided that a regular ritual of key cleanup is just as important as doing backups. (Of course, that probably means that neither will ever get done...but that's another story.)
Joi, those of us who care enough to use the tool will be happy to reestablish your "web of trust" for the new key.
Having just watched "Diamonds are Forever" for the first time in a long while, I have become somewhat more paranoid about impersonators though.
[Remove the capital letters for a valid mail address.]