trying to understand UID and subkeys

David Shaw dshaw at jabberwocky.com
Thu Mar 5 15:10:20 CET 2009


On Mar 5, 2009, at 4:22 AM, Felipe Alvarez wrote:

>
> Me again. Sorry to sound newbish. I've googled, but I haven't found  
> anything quite as detailed enough for me to grasp the 'whole  
> forest' (so to speak). My question is regarding 'subkeys.' Let me  
> know if I am getting the wording/terminology incorrect.
>
> I understand that when I 'gen-key' I create a 'signing' key (to  
> identify tampering/modification) and an 'encryption' key (shouldn't  
> this be a DEcryption key? Wouldn't I use this for DEcrypting docs  
> encrypted with my public key? But I digress).
>
> I am also able to add extra UIDs to my public key, so I can have,  
> say 4 different email addresses, all attached to the same public  
> key. Does this mean I have several SIGNING keys, or several  
> DEcryption keys?

Neither.  It means you have 4 different ways other people can find  
your key.  An OpenPGP key is made up of a pile of keys (a primary key  
plus some number of subkeys) and a pile of user IDs.  Any of the user  
IDs can be used to locate the key as a whole.  Sometimes people set  
different preferences (essentially hints to the sender on how to  
encrypt data) on different user IDs, but the key that they encrypt to,  
and thus the key that you decrypt with, remains the same.

> Why would I want to create new 'subkeys?' Of what benefit to have,  
> say 5 subkeys belonging to one (master)(private)(signing) key?

One reason is to have different keys for different purposes.  You can  
have one subkey for encryption, one subkey for signing, and leave your  
primary key for certification.  This lets you do tricks like keeping  
your primary key offline.  This is useful as the primary key is the  
most "valuable" key (since it can make more subkeys), so protecting it  
is a good idea.

> What do the letters to the right of the words "usage" mean?  
> (S,C,A,E) I can only guess |S|ign, |E|ncrypt, ....

(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)
(A)uthenticate: authenticate yourself to a computer (for example,  
logging in)
(E)ncrypt: encrypt data

David




More information about the Gnupg-users mailing list