What are the reasons that a vendor would change their PGP key?

So I saw that, in light of Onymous, a vendor is changing his key. He said that, when he does this, he will submit a signed message (presumably with the old key?) to veirfy that it is him.

What would be the opsec reasons for doing so? Are more recent keys/versions more secure? Thoughts? Thanks!


Comments


[8 Points] None:

Lost USB, forgot private key, account now controlled by LE and is a honey pot. All the things I can think of right now


[7 Points] dapurrrrre:

Upgrade to 4096 bit encryption is one reason. Routine change another. Just make sure you verify the signature using the old key.


[2 Points] sapiophile:

Make sure that the signed message introducing the new key is very clear and explicit, and contains either the full public key block of the new key or its entire key fingerprint. If all it says is "the new key has [this email] and [this name]", don't trust it for a second.

Also acceptable would be a direct Trust Signature on the new key from the old one.


[1 Points] toss-1:

One reason that's glaring is the public key is tied to all all the vendors transactions. Meaning if you go the El Pres's Vendor Directory onion site it tells how many transaction are on the key.

Yes, expiration dates and other donkey occurrences happen but if you're a mid tier vendor say 6 figures plus a year it'd make sense to change imo.

Most vendors that swap key will provide a signature from the original for verification.


[1 Points] FriendlyDrugAddict:

If a vendor feels the need to change their PGP key I feel the vendor should come back under a whole new name, old links can be bad if they felt the need to upgrade their pgp key.


[1 Points] Colorado_Vend:

If you are me, you accidentally formatted over the PGP key and thought you had it backed up but didn't. Admins of the markets were able to confirm my identity and unlock my accounts (used PGP 2FA) because I was able to tell them in detail the most recent orders and a few other things that only I would know.


[0 Points] mr217:

definetely safer if the vendor occasionally changes his pgp, think of the private key like a password


[0 Points] None:

[deleted]