multiple keys vs multiple identities

Daniel Kahn Gillmor dkg at
Fri Sep 24 16:00:40 CEST 2010

On 09/24/2010 09:36 AM, Simon Richter wrote:
> On Fri, Sep 24, 2010 at 02:15:24PM +0200, Vjaceslavs Klimovs wrote:
>> If I have multiple not related e-mail accounts, is it better to create
>> one key pair with multiple identities or a separate key pair for every
>> account?

note that if you want to keep the identities dis-associated (that is,
you don't want people to know that they belong to the same person, you
should not attach them to the same primary key.  I know at least one
person who did this, and as a result found their online private identity
permanently and publicly associated with their work identity, which was
not intended :(

> It'd be nice if there was a signature notation that specifies which
> UID(s) this signature would be valid for.

Unless i'm misunderstanding your suggestion, there is no need for such a
notation -- OpenPGP certifications are made over a single User ID and
its associated primary key.  If you certify someone's key and they have
three User IDs, and you only can vouch for two of them, you should only
certify those two.

GnuPG makes this possible by asking "really sign all User IDs?" when you
gpg --sign-key $KEYID.  if you say "N" to the question above, it will
drop you to a shell where you can select the User IDs you want to
certify.  enter '1' to select the first User ID, '2' for the second, etc.

When you've marked all the User IDs you want to certify, then type 'sign'.

Note that the primary keyholder can add new User IDs at any time.  If
you were certifying the primary key itself (and only by implication all
User IDs, instead of each one explicitly), then the primary keyholder
could (after the fact) add an entirely bogus User ID which it would look
like you had certified.  That would be a Bad Thing.  OpenPGP doesn't
work that way.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100924/197b6560/attachment.pgp>

More information about the Gnupg-users mailing list