Please read and verify this message about why I have two active keys and am switching to a Curve25519 key.
-----BEGIN PGP SIGNED MESSAGE-----
TL;DR: I'm switching to a Curve25519-based key rather than a
4096-bit RSA-based key. This is being posted here for
full transparency for the few (0) of you that actually
have a reason to care about the status of my OpenPGP key.
Last year, I created an RSA 4096 key pair for use with GnuPG.
Since then, I have began to realize the benefits of using a key
pair based on elliptic curve cryptography (ECC) rather than RSA.
Namely, ECC allows for much shorter key lengths while retaining
the same level of security as much larger RSA keys. This results
in a cryptography system that is much faster, more efficient,
and better prepared for the future (looking at you, Curve448,
whenever it is that you get implemented in GnuPG).
For these reasons, I recently decided to begin migrating away
from RSA-based keys to ECC-based keys. On 11 September 2020, I
generated a key pair based on Curve25519, which I've deemed as
the best option for ECC supported by the version of GnuPG I am
currently using (GnuPG 2.2.20).
My plan is to begin using this key as my primary/default key
in GnuPG immediately for all uses where Curve25519 is currently
supported. However, it turns out some OpenPGP implementations
(mainly on Android) don't yet fully support the use of these
Curve25519 keys. Thus, I will be actively using both keys until
these implementations support Curve25519 keys. Decisions about
whether to keep my old RSA 4096 key pair active or revoke it
completely will come at a later date, once I'm sure that support
for Curve25519 in these essential application will actually be
One of the primary, immediate changes you may notice will be in
my e-mail signature (where I keep my key's fingerprint and a
link to the public key for that key hosted on my website), as
well as various places online where I've either posted my public
key, key fingerprint, or key ID (e.g. Twitter). Rest assured
that these are authorized changes and are fully intended. E-mail
sent to me encrypted with my new Curve25519 public key will be
able to be decrypted by me on arrival.
While there are some downsides to migrating to a new, totally
different OpenPGP key, this decision seems worth it to me since
1) No one has contacted me using OpenPGP encryption anyway, and
2) No one has signed my key, negating any web of trust concerns.
The fingerprints for each of my key pair are as follows:
AC1D 3FB1 E8A5 EB7D 14BD 587B 2932 C725 055A 90D8
D5CD 9040 9023 A8AE 0D88 79C9 2E0F 2FD5 D6F6 2336
The public keys for each key pair can be found on my website as
always, along with the https://keys.openpgp.org key server, the
https://keys.mailvelope.com key server, and https://keybase.io
(although this might disappear at some point due to the not-so-
desirable acquisition by Zoom).
As a reassurance of key ownership, I've signed this message with
signing subkeys for both my new Curve25519 key and my older RSA
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----