Please read and verify this message about why I have two active keys and am switching to a Curve25519 key.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello everyone! TL;DR: I'm switching to a Curve25519-based key rather than a 4096-bit RSA-based key. This is being posted here for full transparency for the few (0) of you that actually have a reason to care about the status of my OpenPGP key. Last year, I created an RSA 4096 key pair for use with GnuPG. Since then, I have began to realize the benefits of using a key pair based on elliptic curve cryptography (ECC) rather than RSA. Namely, ECC allows for much shorter key lengths while retaining the same level of security as much larger RSA keys. This results in a cryptography system that is much faster, more efficient, and better prepared for the future (looking at you, Curve448, whenever it is that you get implemented in GnuPG). For these reasons, I recently decided to begin migrating away from RSA-based keys to ECC-based keys. On 11 September 2020, I generated a key pair based on Curve25519, which I've deemed as the best option for ECC supported by the version of GnuPG I am currently using (GnuPG 2.2.20). My plan is to begin using this key as my primary/default key in GnuPG immediately for all uses where Curve25519 is currently supported. However, it turns out some OpenPGP implementations (mainly on Android) don't yet fully support the use of these Curve25519 keys. Thus, I will be actively using both keys until these implementations support Curve25519 keys. Decisions about whether to keep my old RSA 4096 key pair active or revoke it completely will come at a later date, once I'm sure that support for Curve25519 in these essential application will actually be added. One of the primary, immediate changes you may notice will be in my e-mail signature (where I keep my key's fingerprint and a link to the public key for that key hosted on my website), as well as various places online where I've either posted my public key, key fingerprint, or key ID (e.g. Twitter). Rest assured that these are authorized changes and are fully intended. E-mail sent to me encrypted with my new Curve25519 public key will be able to be decrypted by me on arrival. While there are some downsides to migrating to a new, totally different OpenPGP key, this decision seems worth it to me since 1) No one has contacted me using OpenPGP encryption anyway, and 2) No one has signed my key, negating any web of trust concerns. The fingerprints for each of my key pair are as follows: Curve25519: AC1D 3FB1 E8A5 EB7D 14BD 587B 2932 C725 055A 90D8 RSA 4096: D5CD 9040 9023 A8AE 0D88 79C9 2E0F 2FD5 D6F6 2336 The public keys for each key pair can be found on my website as always, along with the https://keys.openpgp.org key server, the https://keys.mailvelope.com key server, and https://keybase.io (although this might disappear at some point due to the not-so- desirable acquisition by Zoom). As a reassurance of key ownership, I've signed this message with signing subkeys for both my new Curve25519 key and my older RSA 4096 key. Clear skies, Elijah Mathews -----BEGIN PGP SIGNATURE----- iIwEARYKADQWIQT+dRwGeFiC1nHyLqhWn8cb8jYh6AUCX3JKSBYccGdwQGVsaWph aG1hdGhld3MuY29tAAoJEFafxxvyNiHoZyUBAMugEG2q1vKbE6cygEkyiJpeDlXM uS2ryLXWF10NztzvAQDnbCynQVX1cMKnubZCZsNNU39JRJoTSsnC6k0eUMR+B4kC SQQBAQoAMxYhBHiTsa2C6juxDXSJR3F/PdFOuB9FBQJfckpQFRxtZUBlbGlqYWht YXRoZXdzLmNvbQAKCRBxfz3RTrgfRQhuEACfq7U7yi8pMOldS9uM5k1DCCaZuyte 6U/79INwrBKRV0zW1dDRKZUWCZXX9UJRIMIn1inp5OueHN3YI70phscnJB1hcHYY o4mfSXDkdCWVzpJFIj9AAnAWXeCxTJx2y43SDT1IyFJvty6ZlHRKNO87QOKJJDHl Z6Fh9MQnpLmPfTI3zncAIiIfat+oTj3iQX0ueE2lqfLU6rJJZu/y4lTDMwdal0yD awSPhWXUi2nE1mkvNgoVgcgZfyDJqocZlNO2+1pxyP+hSP7rVwd0V4xOywFIpKl/ 37dia5Lq61Cjw7q/kY0MVluOIKYWjZ+e62X0hA2i1HCX7ltUHvPLYB4dnwmqzJDH fB1YjAObc6w5wbky0JGE2AMAbTEA76kqkKu1uI/E7vMJIBjCvsUzD327bqlGyvZb z6KPK+2p9RLTtdC279MpBms5rfrzv+H791lOiGkH5drxg6Y6sSK72bWUEOLyR+lZ xRNx2c9naPK2dfxK04iduHgbQkHLxA9Vj8+8qRo3ntHgxJLrB3MlesNDBCbPU9Fr hmLPnDzoMCjOiO7anFDTqHTUtwrUXzUCZpHd1Cj+xZ0fa5+GU7jwz+NdyAv0uo0f Ie3mT891qhrVXh/H18kmIBvr3Ryhirqj0Ycx+r1fHH9JILDTJ1SoI+HYQDF/wEEo RAtcogIK1ZG2/w== =vWTD -----END PGP SIGNATURE-----