Update our OpenPGP keys in 2019
What we're supposed to do each year:
- Bump the master key's expiration date by 1 year.
- Generate a new signing subkey for each RM, and move it onto new smartcards (the old ones are still needed to keep the previous subkey during the transition period).
- If needed, generate and split a revocation certificate for our signing key. See internal.git for details.
- Update the public key in
- Update references to the public key at least in
- Create a ticket about updating our OpenPGP keys next year.
To be done at the summit during northern hemisphere summer.
Given the RMs won't meet in person at the right time for the necessary key update in ~August, there's no way we give them new signing subkeys on OpenPGP hardware in due time. So we have no choice but to:
- by the end of October: enough Tails folks meet to postpone the expiration date of the master (sic) key and the RM's signing subkeys; I'll try my best to make this happen
- ship these updated pubkeys in Tails 3.17 so updates from 3.17 to the next couple releases work
- next time enough RMs meet (probably November): generate fresh subkeys and move them to hardware tokens
- at some well chosen time after that, switch to the new subkeys when signing stuff