GPG keys for multiple email accounts
mailinglisten at hauke-laging.de
Sun Jul 7 18:50:16 CEST 2013
Am So 07.07.2013, 10:18:46 schrieb atair:
> So, following your suggestions, I (c|sh)ould do:
> 1.1. create one master key for signing on a save environment e.g. live
> CD, USB flash disk.
The mainkey is primary for certification (this refers to key components), not
really for signing (which refers to (other) data). Signing with a mainkey
makes sense in certain situations though. One important example is the
document with your key policy.
> 1.2. the expire date is set to several years
I let both my mainkeys and subkeys expire after one year. You don't have to
throw them away afterwards. You can simply create a new signature /
certification with an expiration date later in the future.
> 1.4. no user ID is added.
You always have one. You probably meant "no second".
> 2.4. add a fake UID that identifies the domain of the key (business,
> private organization,..)
I recommend to have one UID without an email address. Just your name and a
comment, something like "key for private addresses; secure offline mainkey".
> 2.5. sign those keys by the master key.
That is done automatically when you add UIDs.
> 2.6. publish/hand out the public sub keys to the respective
> sender/recipient group of people.
You have to publish a complete certificate. You cannot leave out the public
mainkey. Without it neither the fingerprint nor the UIDs or subkeys could be
verified by the importing application. The fact that you have an offline
mainkey does not influence your certificate ("public key") in any way (except
for maybe mentioning this fact). The sending application automatically selects
the subkey for encryption. OK, to tell the truth: GnuPG does that. I am not
even sure whether the RfC demands that. If you want to be sure you may create
the mainkey without the flag for encryption (--expert --gen-key). But this
would prevent you from using the mainkey as a high security key (useful if you
don't have a separate one).
> >> Does it create problems to attach a fake email
> >> address to the key (e.g. @example.com)?
> > Problems like not being taken seriously?
> Would it be really that grave? If persons know and trust you, they
> sign your key (and you may explain, why you use a pseudonym).
Pseudonyms may make sense. I don't think there is a case in which an illegal
email address does. Of course, that somebody believes that you haven't
understood OpenPGP does not mean that he knows more about it than you... These
are rather social than technical problems. You alone have to handle them, your
point of view is the relevant one.
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 572 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users