Please read and verify this message about why I have two active keys and am switching to a Curve25519 key.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello everyone!
TL;DR: I'm switching to a Curve25519-based key rather than a
4096-bit RSA-based key. This is being posted here for
full transparency for the few (0) of you that actually
have a reason to care about the status of my OpenPGP key.
Last year, I created an RSA 4096 key pair for use with GnuPG.
Since then, I have began to realize the benefits of using a key
pair based on elliptic curve cryptography (ECC) rather than RSA.
Namely, ECC allows for much shorter key lengths while retaining
the same level of security as much larger RSA keys. This results
in a cryptography system that is much faster, more efficient,
and better prepared for the future (looking at you, Curve448,
whenever it is that you get implemented in GnuPG).
For these reasons, I recently decided to begin migrating away
from RSA-based keys to ECC-based keys. On 11 September 2020, I
generated a key pair based on Curve25519, which I've deemed as
the best option for ECC supported by the version of GnuPG I am
currently using (GnuPG 2.2.20).
My plan is to begin using this key as my primary/default key
in GnuPG immediately for all uses where Curve25519 is currently
supported. However, it turns out some OpenPGP implementations
(mainly on Android) don't yet fully support the use of these
Curve25519 keys. Thus, I will be actively using both keys until
these implementations support Curve25519 keys. Decisions about
whether to keep my old RSA 4096 key pair active or revoke it
completely will come at a later date, once I'm sure that support
for Curve25519 in these essential application will actually be
added.
One of the primary, immediate changes you may notice will be in
my e-mail signature (where I keep my key's fingerprint and a
link to the public key for that key hosted on my website), as
well as various places online where I've either posted my public
key, key fingerprint, or key ID (e.g. Twitter). Rest assured
that these are authorized changes and are fully intended. E-mail
sent to me encrypted with my new Curve25519 public key will be
able to be decrypted by me on arrival.
While there are some downsides to migrating to a new, totally
different OpenPGP key, this decision seems worth it to me since
1) No one has contacted me using OpenPGP encryption anyway, and
2) No one has signed my key, negating any web of trust concerns.
The fingerprints for each of my key pair are as follows:
Curve25519:
AC1D 3FB1 E8A5 EB7D 14BD 587B 2932 C725 055A 90D8
RSA 4096:
D5CD 9040 9023 A8AE 0D88 79C9 2E0F 2FD5 D6F6 2336
The public keys for each key pair can be found on my website as
always, along with the https://keys.openpgp.org key server, the
https://keys.mailvelope.com key server, and https://keybase.io
(although this might disappear at some point due to the not-so-
desirable acquisition by Zoom).
As a reassurance of key ownership, I've signed this message with
signing subkeys for both my new Curve25519 key and my older RSA
4096 key.
Clear skies,
Elijah Mathews
-----BEGIN PGP SIGNATURE-----
iIwEARYKADQWIQT+dRwGeFiC1nHyLqhWn8cb8jYh6AUCX3JKSBYccGdwQGVsaWph
aG1hdGhld3MuY29tAAoJEFafxxvyNiHoZyUBAMugEG2q1vKbE6cygEkyiJpeDlXM
uS2ryLXWF10NztzvAQDnbCynQVX1cMKnubZCZsNNU39JRJoTSsnC6k0eUMR+B4kC
SQQBAQoAMxYhBHiTsa2C6juxDXSJR3F/PdFOuB9FBQJfckpQFRxtZUBlbGlqYWht
YXRoZXdzLmNvbQAKCRBxfz3RTrgfRQhuEACfq7U7yi8pMOldS9uM5k1DCCaZuyte
6U/79INwrBKRV0zW1dDRKZUWCZXX9UJRIMIn1inp5OueHN3YI70phscnJB1hcHYY
o4mfSXDkdCWVzpJFIj9AAnAWXeCxTJx2y43SDT1IyFJvty6ZlHRKNO87QOKJJDHl
Z6Fh9MQnpLmPfTI3zncAIiIfat+oTj3iQX0ueE2lqfLU6rJJZu/y4lTDMwdal0yD
awSPhWXUi2nE1mkvNgoVgcgZfyDJqocZlNO2+1pxyP+hSP7rVwd0V4xOywFIpKl/
37dia5Lq61Cjw7q/kY0MVluOIKYWjZ+e62X0hA2i1HCX7ltUHvPLYB4dnwmqzJDH
fB1YjAObc6w5wbky0JGE2AMAbTEA76kqkKu1uI/E7vMJIBjCvsUzD327bqlGyvZb
z6KPK+2p9RLTtdC279MpBms5rfrzv+H791lOiGkH5drxg6Y6sSK72bWUEOLyR+lZ
xRNx2c9naPK2dfxK04iduHgbQkHLxA9Vj8+8qRo3ntHgxJLrB3MlesNDBCbPU9Fr
hmLPnDzoMCjOiO7anFDTqHTUtwrUXzUCZpHd1Cj+xZ0fa5+GU7jwz+NdyAv0uo0f
Ie3mT891qhrVXh/H18kmIBvr3Ryhirqj0Ycx+r1fHH9JILDTJ1SoI+HYQDF/wEEo
RAtcogIK1ZG2/w==
=vWTD
-----END PGP SIGNATURE-----