Key usage / Number of keys

Graham graham@todd276.worldonline.co.uk
Tue, 19 Dec 2000 12:17:41 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there, GaryP,

On 19 December 2000, I received the following message from you regarding
"Key usage / Number of keys"

G>   Hi,
G> 
G>   I've generated a key pair at home which i use to enc and sign
G> messages. I keep my trustdb, and seckey ring on write protected floppy
G> disk, to prevent any other user modifying the contents. Mainly on floppy
G> to reduce the time its actually available for copying on the computer. I
G> know there are ways around this, but it makes it a little harder for
G> people to get access to my secring.
G> 
G>   The question is, i want to sign / enc emails sent from work, should i
G> generate a new key pair for use just at work, allowing a seperate ID
G> that would contain my works email as opposed to my home email. Or should
G> i simply use the home key that i have on floppy disk?
G> 
G>   Problem with the first is now having two keys / trust dbs etc to
G> maintain, but this does mean i can use a different passphrase, meaning
G> if the passphrase was captured it would only comprimise my work and not
G> home keys. (and vice-versa). This is even more true, by the fact that
G> the works computer will be shared with other users, I have a lot more
G> control over how and who uses my home computer (aside from really
G> paranoid ideas of people breaking in to my home computer, which i'm not
G> worried about, my information isn't that important ;-)
G> 
G>   Problem with the second is the user id will be my home email address
G> and not my works email, which some people may find strange.
G> 
G>   Does anyone else do something similar to this? Do you have two keys?
G> or have you found another way around this?
G> 
G>   Cheers,

As a general rule, under both GnuPG and PGP, I generate a key pair for
*each e-mail address* I shall use to send signed/encrypted mail.  If
you are really trying to make your mail as secure as possible, each
key pair will have a different passphrase, but for a small number of
addresses a common passphrase would do (although if the passphrase is
known by others they will then know all your passphrases...so its
often a trade off between security and what you can remember).

You can keep all your keys on a floppy which is then used from machine
to machine (I've never actually done this with GnuPG, only with PGP
under Windows).

Hope this helps..

Graham                  reply to: graham@todd276.worldonline.co.uk

Please PGP/GnuPG sign mail for verification and encrypt for internet security

Written on 19 December 2000 12:11:02
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4b-winpt (MingW32)
Comment: For info see http://www.gnupg.org

iD8DBQE6P1HatwKLKus4nE4RAgVXAKCAomy9BCHieT8B9ms7Z/MjSk5exwCggWIW
Er8Wdt2OW9I4b+85kosMWdc=
=0l9P
-----END PGP SIGNATURE-----

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org