PGP

My current and past PGP keys are listed below. Note that I rotate my keys (including the primary key) regularly. Additionally, I have a Protonmail account. It is not simple to use a Protonmail account with an external PGP key, so my emails are only signed by Protonmail for the time being. You can download my public key here .

I manage my PGP keys in an atypical manner. Most notably, I do not use long-lived PGP keys. I use subkeys in order to make it easier to work with my smartcard: it expects 3 separate keys for signing, encryption, and authentication. It might be technically possible to upload the same key in all slots (I have not tried), but this would be inconvenient because GPG wants to delete the key after it has been uploaded. I do not consider the primary key to be any more secure than the subkeys. I rotate my keys at least annually, and may rotate them sooner than the expiration date.

Rotating keys causes some incompatibility with current systems, which expect the same key to be used for years, decades, or even an entire lifetime. I will do what I can to accommodate these incompatibilities, for example by signing an email which contains a commit rather than signing the commit itself.

Key rotation is a three-step process:

  1. Create the new key
  2. Sign the new key with the old key
  3. Revoke the old key

This creates a single line of keys which increases confidence that the keys are legitimate. If there is ever a branch in the line, something has gone wrong. Currently, a branch means that someone has uploaded a key in bad faith (and if it is signed, the signing key has been compromised).

I do not have any other signatures on my keys because the people in my life who are physically present do not use PGP, and asking for a signature through digital communication is problematic. In order to help build confidence in the key, I now validate my email address with the openpgp keyserver. If this bothers you, read this before you yell at me.

Download the markdown source and signature.