Multiple Subkey Pairs

Martin Behrendt martin-gnupg-users at dkyb.de
Thu Mar 13 17:30:52 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am 13.03.2014 16:42, schrieb vedaal at nym.hush.com:
> 
> On Thursday, March 13, 2014 at 8:03 AM, "Martin Behrendt"
> <martin-gnupg-users at dkyb.de> wrote:Hi,
> 
>> I want to achieve the following: 1. A Master signing key 2. A
>> subkey signing/enc pair for my normal machine 3. A subkey
>> signing/enc pair for e.g. my mobile device
> 
>> What I want to do is to have a different "pair" for my mobile
>> device or work computer than on my machine. I want to give those
>> pairs a shorter lifetime like 1 year (depending on the paranoia
>> level) so I can change them more frequently.
> 
> ===== You can let all your correspondents know that they can
> encrypt simultaneously to all 3 of your keys that have the same
> e-mail address (assuming that you give them the fingerprints and
> long key id' s for the 3 keys, and they aren't going to be fooled
> by some attacker making a new key with your name and  e-mail
> address).
> 

Thank you, that sounds like a solution worth going for. I'm just not
sure, how to e.g. tell thunderbird/enigmail to use multiple keys for
one email address when sending (or will it do that by default?). If
you have a hint for that would be nice, otherwise I will try to find
out myself.
My closest thoughts to a solution like this were, go set my reply-to
to two email addresses and maybe play around with the subkey
identities to achieve the same. Or also two different key pairs. One
big key with subkeys would be nicer tho, to hide the "complexity" a
little.

@Hauke, Daniel
Thx for your replies, too. Like I wrote, I am aware that multiple
encryption subkeys are not used. Thats why I was asking, if changing
that would make sense. Or what the bigger drawbacks are.

Also the fact that it is hard to determine which key has which
security level is correct and an important issue. But I think this is
a problem which can be solved by a proper key management and presentation.

Martin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEAREKAAYFAlMh3TgACgkQ/6vdZgk46shm3QCeLD6yYByhhOnDCPCpZPPO/863
9+AAnj2J4NA53YWbO9rn30rEBwh5wR79
=m03k
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list