trying to understand UID and subkeys
dshaw at jabberwocky.com
Thu Mar 5 15:10:20 CET 2009
On Mar 5, 2009, at 4:22 AM, Felipe Alvarez wrote:
> Me again. Sorry to sound newbish. I've googled, but I haven't found
> anything quite as detailed enough for me to grasp the 'whole
> forest' (so to speak). My question is regarding 'subkeys.' Let me
> know if I am getting the wording/terminology incorrect.
> I understand that when I 'gen-key' I create a 'signing' key (to
> identify tampering/modification) and an 'encryption' key (shouldn't
> this be a DEcryption key? Wouldn't I use this for DEcrypting docs
> encrypted with my public key? But I digress).
> I am also able to add extra UIDs to my public key, so I can have,
> say 4 different email addresses, all attached to the same public
> key. Does this mean I have several SIGNING keys, or several
> DEcryption keys?
Neither. It means you have 4 different ways other people can find
your key. An OpenPGP key is made up of a pile of keys (a primary key
plus some number of subkeys) and a pile of user IDs. Any of the user
IDs can be used to locate the key as a whole. Sometimes people set
different preferences (essentially hints to the sender on how to
encrypt data) on different user IDs, but the key that they encrypt to,
and thus the key that you decrypt with, remains the same.
> Why would I want to create new 'subkeys?' Of what benefit to have,
> say 5 subkeys belonging to one (master)(private)(signing) key?
One reason is to have different keys for different purposes. You can
have one subkey for encryption, one subkey for signing, and leave your
primary key for certification. This lets you do tricks like keeping
your primary key offline. This is useful as the primary key is the
most "valuable" key (since it can make more subkeys), so protecting it
is a good idea.
> What do the letters to the right of the words "usage" mean?
> (S,C,A,E) I can only guess |S|ign, |E|ncrypt, ....
(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)
(A)uthenticate: authenticate yourself to a computer (for example,
(E)ncrypt: encrypt data
More information about the Gnupg-users