In light recent new attacks against SHA-1 [1,2], and the NIST guidance on 1024 bit keys and SHA-1 hashes [3,4], I have decided to move to a new OpenPGP key of a larger size. As such, I will be slowly transitioning away from my old key.

因應最近的幾起 SHA-1 攻擊 [1,2], 興起了一陣更新 OpenPGP 金鑰的風潮. 我也會慢慢過渡到新的金鑰.

My old key will continue to be valid for some time to come, but I’d prefer all new correspondence to use the new one. I’ll also be switching my outgoing signatures (email and code) onto the new key. For this to work well, I’d like my new key to be re-integrated into the web of trust. So, I’ve signed this message with both the old and the new keys, to certify the transaction.

舊的金鑰還可以持續使用一陣子, 但我還是希望未來大家都可以改用新的金鑰. 我也會改用新的金鑰來簽署 email 和文件. 為了讓一切順利進行, 最好是新的金鑰可以被加到信任網中.

the old key was:

舊的金鑰是:

pub   1024D/365CC7A2 2004-06-28 Kanru Chen (koster)
 Primary key fingerprint: 3278 DFB4 BB28 6E8C 9E1F  1ECB B1B7 5B5F 365C C7A2

And the new key is:

新的金鑰是:

pub   4096R/CEC6AD46 2009-10-19 Kan-Ru Chen (陳侃如)
 Primary key fingerprint: 374F F2AD 0A12 935F D0B0  C84F 1B13 2E01 CEC6 AD46

To fetch my new key from a public key server, you can simply do:

使用以下命令, 可以從公開金鑰伺服器取得我的新金鑰:

  gpg --keyserver pgp.mit.edu --recv-key CEC6AD46

If you already know my old key, you can now verify that the new key is signed by the old one:

如果您己經有我的舊鑰, 您可以確認我的新鑰己由舊鑰簽名.

  gpg --check-sigs CEC6AD46

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

如果您不知道我的舊鑰, 或只是想再次確認, 您可以檢查上面的指紋.

  gpg --fingerprint CEC6AD46

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

如您確定拿到對的金鑰了, UIDs 也如預期, 能就此簽署我的新鑰是在好不過.

  gpg --sign-key CEC6AD46

Lastly, if you could upload these signatures, I would appreciate it. Please could you just upload the signatures to a public keyserver directly:

若您簽署之後可以把簽名上傳到公開金鑰伺服器就太好了.

  gpg --keyserver pgp.mit.edu --send-key CEC6AD46

Please let me know if there is any trouble, and sorry for the inconvenience.

過程中若有什麼問題請讓我知道, 抱歉帶來不便.

Thanks, Kanru

Sign 過的版本, 用 gpg --verify 驗證

1. http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
2. http://www.debian-administration.org/users/dkg/weblog/48
3. http://csrc.nist.gov/groups/ST/hash/statement.html
4. http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf

終於登出了！

在寫最後一次大兵時，回顧這一年來的紀錄，的確是發生了不少事啊。前後去過 8 個營區，一開始是出賣勞力的派工人員，後來轉職成業參人員，經歷了高裝檢、專精、移防、基地、救災、主官交接與多次檢討會，真的是沒有一刻悠閒。

擔任心輔志工期間，與多位弟兄聊過心情故事，應該對減輕這些弟兄的不適應有一點點幫助吧，我覺得算是這一年除了救災之外，最有意義的事了