GPG keys for multiple email accounts

Hauke Laging mailinglisten at hauke-laging.de
Sun Jul 7 18:50:16 CEST 2013


Am So 07.07.2013, 10:18:46 schrieb atair:

> So, following your suggestions, I (c|sh)ould do:
> 1.1. create one master key for signing on a save environment e.g. live
> CD, USB flash disk.

The mainkey is primary for certification (this refers to key components), not 
really for signing (which refers to (other) data). Signing with a mainkey 
makes sense in certain situations though. One important example is the 
document with your key policy.


> 1.2. the expire date is set to several years

I let both my mainkeys and subkeys expire after one year. You don't have to 
throw them away afterwards. You can simply create a new signature / 
certification with an expiration date later in the future.


> 1.4. no user ID is added.

You always have one. You probably meant "no second".


> 2.4. add a fake UID that identifies the domain of the key (business,
> private organization,..)

I recommend to have one UID without an email address. Just your name and a 
comment, something like "key for private addresses; secure offline mainkey".


> 2.5. sign those keys by the master key.

That is done automatically when you add UIDs.


> 2.6. publish/hand out the public sub keys to the respective
> sender/recipient group of people.

You have to publish a complete certificate. You cannot leave out the public 
mainkey. Without it neither the fingerprint nor the UIDs or subkeys could be 
verified by the importing application. The fact that you have an offline 
mainkey does not influence your certificate ("public key") in any way (except 
for maybe mentioning this fact). The sending application automatically selects 
the subkey for encryption. OK, to tell the truth: GnuPG does that. I am not 
even sure whether the RfC demands that. If you want to be sure you may create 
the mainkey without the flag for encryption (--expert --gen-key). But this 
would prevent you from using the mainkey as a high security key (useful if you 
don't have a separate one).


> >> Does it create problems to attach a fake email
> >> address to the key (e.g. @example.com)?
> > 
> > Problems like not being taken seriously?
> 
> Would it be really that grave? If persons know and trust you, they
> sign your key (and you may explain, why you use a pseudonym).

Pseudonyms may make sense. I don't think there is a case in which an illegal 
email address does. Of course, that somebody believes that you haven't 
understood OpenPGP does not mean that he knows more about it than you... These 
are rather social than technical problems. You alone have to handle them, your 
point of view is the relevant one.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130707/10203023/attachment-0001.sig>


More information about the Gnupg-users mailing list