Multiple addresses: adduid vs. addkey vs --gen-key

Dave Dribin dribin@thenetsquad.com
Wed Mar 21 07:38:04 2001


Hello,

I've read over the manual and I'm still a bit confused as to the
"best" way to use multiple email addresses.  It seems to me there are
3 ways: adduid, addkey and --gen-key.  I've detailed what are the pros
and cons (in my opinion) for each method.  Please expand and/or
correct any of the issues.

1) adduid

This is probably what I want to use (but I just want to make sure).
My only issue is that what happens when I change email addresses?  The
manual says that user IDs should not be deleted:

  http://www.gnupg.org/gph/en/manual.html#AEN282

and user IDs cannot be revoked:

  http://www.gnupg.org/gph/en/manual.html#AEN305

It mentions that I can *effectively* revoke the user ID using revsig.
However, as Josh Huber pointed out, the revoked key is visible
forever:

  http://lists.gnupg.org/pipermail/gnupg-users/2001-February/007795.html

I can imagine after 20 years of use, there will be many revoked
signatures cluttering the valid signatures.  Unless, of course, there
is some way to "hide" revoked IDs.

2) addkey

Ok, I'm not even sure what a subkey is and what it's intended use is.

>From what I can tell, you can use multiple subkeys to differentiate
between email addresses. The advantage here is that I can actually revoke a subkey, where I cannot revoke a user ID. I'm guessing that the passphrase is the same as the original (master?) key. I have no idea what the disadvantages would be, although there must be something I'm missing. :) 3) --gen-key This would create 2 separate public/private key pairs (say I create one for personal and one for work) with two separate passphrases, two separate fingerprints, etc. The would seem like a good idea except that it may confuse some people who interact with me on a work and personal level. Plus I have to remember 2 passphrases and remember to switch keys when signing/encrypting stuff. Besides, I really am one person. In the "real" world I use the same signature on personal documents as well as work documents, so why shouldn't I do the same in the digital world? Besides, in reality, I have more than 2 email addresses (though they could probably be grouped into "personal" and "work"). Thanks for any insight! -Dave