I am transitioning GPG keys from an old 2048-bit RSA key to a new
4096-bit RSA key.  The old key will continue to be valid for some
time, but I prefer all new correspondance to be using the new key,
and will be making all signatures going forward with the new key.

This transition document is signed with both keys to validate the
transition.

If you have signed my old key, I would appreciate signatures on my
new key as well, provided that your signing policy permits that
without reauthenticating me.

The old key, which I am transitional away from, is:

  rsa2048/457CE0A0804465C5 2006-07-27
  Fingerprint = 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5

The new key, to which I am transitioning, is:

  rsa4096/61AD3D98ECDF2C8E 2024-04-24
  Fingerprint = 9D8B E14E 3F2A 9DD7 9199  28F1 61AD 3D98 ECDF 2C8E

To fetch the full new key from a public key server using GnuPG, run:

  gpg --keyserver keys.gnupg.net --keyserver-options no-self-sigs-only \
    --recv-key 9D8BE14E3F2A9DD7919928F161AD3D98ECDF2C8E

(no-self-sigs-only is needed because else only the self-signatures
will be fetched, but no cross-signatures from one key to another.
The same can be achieved using different keyservers too, eg,
keys.openpgp.org or keyserver.ubuntu.com)

If you have already validated my old key, you can then validate that
the new key is signed by my old key:

  gpg --check-sigs 9D8BE14E3F2A9DD7919928F161AD3D98ECDF2C8E

If you then want to sign my new key, a simple and safe way to do that
is by using caff (shipped in Debian as part of the "signing-party"
package) as follows:

  caff 9D8BE14E3F2A9DD7919928F161AD3D98ECDF2C8E

Please contact me (for example via e-mail at <mjt@tls.msk.ru>)
if you have any questions about this document or this transition.

  Michael Tokarev
  mjt@tls.msk.ru
  2024-04-24
  (updated 2024-08-16 to note no-self-sigs-only keyserver option)