Multiple addresses: adduid vs. addkey vs --gen-key

Dave Dribin dribin@thenetsquad.com
Wed Mar 21 07:38:04 2001 

Hello,

I've read over the manual and I'm still a bit confused as to the
"best" way to use multiple email addresses.  It seems to me there are
3 ways: adduid, addkey and --gen-key.  I've detailed what are the pros
and cons (in my opinion) for each method.  Please expand and/or
correct any of the issues.

1) adduid

This is probably what I want to use (but I just want to make sure).
My only issue is that what happens when I change email addresses?  The
manual says that user IDs should not be deleted:

  http://www.gnupg.org/gph/en/manual.html#AEN282

and user IDs cannot be revoked:

  http://www.gnupg.org/gph/en/manual.html#AEN305

It mentions that I can *effectively* revoke the user ID using revsig.
However, as Josh Huber pointed out, the revoked key is visible
forever:

  http://lists.gnupg.org/pipermail/gnupg-users/2001-February/007795.html

I can imagine after 20 years of use, there will be many revoked
signatures cluttering the valid signatures.  Unless, of course, there
is some way to "hide" revoked IDs.

2) addkey

Ok, I'm not even sure what a subkey is and what it's intended use is.

>From what I can tell, you can use multiple subkeys to differentiate

between email addresses.  The advantage here is that I can actually
revoke a subkey, where I cannot revoke a user ID.  I'm guessing that
the passphrase is the same as the original (master?)  key.  I have no
idea what the disadvantages would be, although there must be something
I'm missing. :)

3) --gen-key

This would create 2 separate public/private key pairs (say I create
one for personal and one for work) with two separate passphrases, two
separate fingerprints, etc.  The would seem like a good idea except
that it may confuse some people who interact with me on a work and
personal level.  Plus I have to remember 2 passphrases and remember to
switch keys when signing/encrypting stuff.  Besides, I really am one
person.  In the "real" world I use the same signature on personal
documents as well as work documents, so why shouldn't I do the same in
the digital world?  Besides, in reality, I have more than 2 email
addresses (though they could probably be grouped into "personal" and
"work").

Thanks for any insight!

-Dave