Under what conditions should I re-sign a PGP key that has been transitioned?

Question

Alice and Bob have signed each other's PGP keys.

Later, Bob wants to transition to another PGP key. He wants Alice to sign his new key, but cannot meet in person because he lives far away.

Under what conditions should Alice sign Bob's new key?

score 1 · Answer 1 · edited Oct 07 '21 at 07:59

1

I'll have a go at answering this myself. Tell me if I'm wrong.

Alice should sign Bob's new key, if:

Bob produces a statement "new_key is my new key.", signed with his old key. (See What's the purpose of a PGP transition statement? )
old key is not expired
old key has no revocation with a Reason for Revocation of "Key material has been compromised" (otherwise the compromiser could have generated the transition statement)
either:
new key has same UID as old key, OR
new key has a different email address, in which case you should perform email ownership verification (for example, by only sending the signature to the new email address)

edited Oct 07 '21 at 07:59

Community

answered Jun 26 '17 at 13:33

Hmm. Why only revoke once your new key has all the signatures? What I did last time was revoke as soon as I uploaded the new key but made a note of the new key's full fingerprint in the revocation note. – Wilhelm Erasmus Nov 16 '17 at 18:44
@WilhelmErasmus Good point. I think a signature using a revoked key, is good, as long as you aren't aware of another revocation of the key that has a Reason for Revocation of "Key material has been compromised". I've updated my answer accordingly. – Nov 17 '17 at 04:59
Additionally, a revocation note of a key is only as good as the expiry of the that key, since signatures (including revocations) cannot be trusted beyond the expiry of the key. That's the purpose of key expiration. – Nov 17 '17 at 05:17
wouldn't a transition statement be an exception to this because it tells you which key to trust now? Obviously the statement needs to be signed before the key expires. – Wilhelm Erasmus Dec 10 '17 at 22:14
@WilhelmErasmus I don't think there's an exception, since if there was, an attacker (who feasibly has the key. This is why we have expiration) could produce a valid transition statement. Also a signature isn't time-based, so you cannot tell whether a document (e.g. transition statement) was signed before or after the key expired. – Dec 10 '17 at 23:51

1 Answers1