[GeneralQuestions] Changing PGP key

Can vendors change their pgp keys as they like? Or they have to somehow prove that their acc werent compromised?

Thanks for answers. throwaway


Comments


[2 Points] Theeconomist1:

A vendor can/is able to change the key whenever and as often as they like. It's considered best practice though for vendor to sign new key with their old key to show they still control the old key and lessen That it was due to a compromise. Sometimes shit happens and this isn't possible. But that's the best practice.


[2 Points] The_fire_bird:

Generally speaking, if I'm not given advance warning that a (master) key will change then I wouldn't trust the new key.

New sub key? Sure, no problem!

But new master key? Unless the old one expired I'd be hesitant. Just about anything else would have me believing that someone was trying to deceive me into trusting their key.


[1 Points] sapiophile:

If they sign the new key with the old key, this is fine, and in some cases a good thing.

If they will not sign the new key with the old key, or otherwise will not corroborate the new key with their old one (like with an OpenPGP-signed message using the old key that includes the new key's Fingerprint) this is A HUGE RED FLAG and communication/dealings with that vendor should stop immediately.


[1 Points] matafixthrow:

I get that.

However, consider that I got refunded when I FEd. Could it still be run by LE?