I recently updated my gpg key and extended its expiration date for another year. Unlike prior years, I decided to 'look myself up' on http://keys.gnupg.net, and was shocked to find my name and email address attached to a (now revoked) key fingerprint that I had NOT created, and whose final four bytes matched those of my legitimate key's fingerprint. The entry on http://keys.gnupg.net indicates only a single date, which I'm not sure is the creation or revocation date, so I don't know the interval for which the key was in effect.
What is the 'best practice' response for my situation?
