Ich dachte mir, sicher ist sicher, paste ich es hier also auch nochmal rein:

Hi,

you are receiving this e-mail because you once signed my OpenPGP key BBE2A9E9. For a number of reasons, I’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition. If you are using the “mutt” MTA, you might have to add this line to your ~/.muttrc to have mutt automatically verify traditional style PGP messages:

#v+
message-hook ‘!(~g|~G) ~b"—–BEGIN\ PGP\ (SIGNED\ )?MESSAGE"’
“exec check-traditional-pgp”
#v-

The old key was:

pub 1024D/BBE2A9E9 2000-10-30 Key fingerprint = 100F D755 B723 B7A1 3E45 3E0E 9345 02E3 BBE2 A9E9

And the new key is:

pub 4096R/4BAE9B24 2013-09-17 Key fingerprint = DE92 4D5A 4080 1811 3B95 D9F8 491F ED2C 4BAE 9B24

To fetch the full key, you can get it with:

wget -q -O- https://mail.incertum.net/4bae9b24.pub.asc | gpg –import -

You can, alternatively, fetch my public key via HTTP:

wget -q -O- http://mail.incertum.net/4bae9b25.pub.asc | gpg –import -

Or, to fetch my new key from a public key server, you can simply do:

gpg –keyserver pgp.mit.edu –recv-key 4BAE9B24

The keys are published in DNS as well, as described in http://www.gushi.org/make-dns-cert/HOWTO.html. If you are using a recent version of GnuPG, you may add

auto-key-locate cert pka

to your ~/.gnupg/options to automatically retrieve the key via DNS.

Please note that all DNS data for the “incertum.net” zone is DNSSEC signed. Furthermore, you can verify the webservers certificate using DANE TLSA records.

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg –check-sigs 4BAE9B24

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg –fingerprint 4BAE9B24

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

gpg –sign-key 4BAE9B24

Lastly, if you could upload these signatures, I would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg –armor –export 4BAE9B24 | mail -s “OpenPGP Signatures” cite@incertum.net

Or you can just upload the signatures to a public keyserver directly:

gpg –keyserver pgp.mit.edu –send-key 4BAE9B24

Please DO NOT upload my key to *.pgp.com. pgp.mit.edu and subkeys.pgp.net are sane choices.

Please let me know if there is any trouble, and sorry for the inconvenience.

Regards,

Stefan

[This e-mail is is based on dkg’s template at http://fifthhorseman.net/key-transition-2007-06-15.txt, thanks for that.]

Man sieht sehr schön, wie die verschiedenen Crypto-Geschichten da ineinander greifen: Via DNSSEC ist zum einen der CERT-RR direkt abgesichert, was einen automatischen Download des Keys ermöglicht. Wer den Key lieber per Hand und über SSL vom Webserver zieht, der kann via DANE TLSA verifizieren, dass das Zertifikat das erwartete ist. Und wer dem alten Key traut, sieht dessen Unterschrift nicht nur unter der Mail, sondern auch auf dem neuen Key.