Seeking clarification with a few GPG concepts

Peter Lebbing peter at digitalbrains.com
Wed Aug 13 12:23:24 CEST 2014


Hello,

> Can she add a new UID of the same name "Alice <uid2 at company.com>" to 
> her gpg key again?

I'm pretty sure that, yes, you can.

> In another scenario, Alice not only has a master key, but also 
> subordinate keys, say for her notebook and mobile phone. First, can 
> she say that the mobile phone should be able to sign/decrypt only for
> uid1 at alice.com?

For decryption: No. UID's are always bound to the primary key. If
someone encrypts data to you, they are free to choose whatever
non-expired encryption-capable subkey or master key they want. In
practice, you'll usually see that it will be encrypted to the last
created non-expired key.

You choose which key you use to sign with; your peers will accept
signatures from any non-expired signing-capable key.

There is no proper way to say to your peers "encrypt to this subkey if
you want me to read it on the move and encrypt to that subkey if you
want I can only read it on my super-secure computer".

> What happens if a subordinate key of mine expires? Can I just 
> generate a new one and let people know? Or would I also have lost 
> trust/signatures of my identities gathered in the past?

You can simply generate a new one. Certifications are done on the pair
of an UID and your master key. Subkeys don't play a role in certifications.

> Just that he trusts UID X belongs to the name and address given in 
> UID X, and that UID X is associated with Alice's master key

Precisely. Although you are actually a bit too specific. A certification
means what the signing party wants it to mean. Some people will not
verify the e-mail address. Some will decline to sign a key with a
comment they can't properly verify or otherwise object to. Some will
have their signature mean "I've seen multiple e-mails from this person
signed with this key", others will want to hire a private investigator
and interrogate your parents (obviously only after a DNA test).

> Finally, I am wondering how I should organise my UIDs.

There is no single best way. Both all UIDs on one key and separate keys
per UID are done. Both have their pros and cons.

> Would it be considered strange, or even rude of some sort, if I
> asked someone to sign a number of identities of mine scattered
> across multiple gpg keys

No, I wouldn't think so. But obviously someone might say "I'm sorry,
that's too much effort for me" :).

> P.S.: It seems like my previous attempt to post this message failed.
>  I hope the mail won't come through twice now. I'm sorry if it does.

It did come through twice; the time it takes for your message to be
circulated to all the members can vary quite a bit.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list