Aw: Re: multiple keys with different UIDs and common WoT?

Peter Lebbing peter at digitalbrains.com
Sun Dec 1 11:12:00 CET 2013


On 30/11/13 23:42, Klaus wrote:
> Ok, this will fix the WoT from my perspective. What about other users
> importing my work key?

Yes, you are of course correct. I forgot the other side for a moment :).

How about this:

- On your work PC, you only have the secret subkeys (signing and encryption) of
your work keypair. The master key (for certification) is held securely at your home.
- You ask people, when they certify you, to certify both keys. It's a rare
event, it's not that big of a burden all in all.
- When you switch jobs, you revoke the existing subkeys, the ones where the
secret material was on the work PC. You create new subkeys for signing and
encryption and place those on your new work PC.

That way, the IT department of the company (or other people with access to your
work PC) will only gain access to work-related stuff /for that company/. Once
you go work for the competitor, they can no longer access any new work-related
stuff which is encrypted to the new subkey.

Your secret master key never enters the premises of the company you work for,
and other people certify that master key, so you don't lose the certifications
when you switch jobs.

> That shouldn't be a problem, as long as I don't ask people to sign my work
> key and don't sign with my work key.

You are a lot more free than that. Other people can sign both keys, and you can
sign other people's keys with either of your master keys. You just shouldn't
sign a key with /both/, if you want to keep the famous "some people" happy.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list