new keys vs. sub-keys vs. uids

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Sat May 3 17:05:16 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 3 May 2014 at 2:08:35 AM, in
<mid:20140502200835.2cb51cad at bigbox.christie.dr>,
gnupg at tim.thechases.com wrote:


> However, after adding multiple uids and emailing an
> encrypted test message from the new UID
> (work at example.com), I noticed that Claws Mail reported
> that it had been signed by "home at example.name" instead
> of "work at example.com",

The email client will have told GnuPG to search for a key with a UID
containing <work at example.com>, which it found. I suspect
<home at example.name> was reported by the email client as the signing
identity due to being set as the default UID.


Anybody could look at the key using GnuPG or something like PGPdump
and see all the IDs. In fact, simply checking the signature with GnuPG
should display something like:-

gpg: Good signature from "... <home at example.name>" [unknown]
gpg:                 aka "... <work at example.com>" [unknown]




> In the hope of
> keeping the entries completely separate, I then tried
[a unique key for each persona]

> This seemed to work as expected, but has the down-side
> that I would have N separate passphrases to
> maintain/remember for each of the N personas.  Yes, I
> can make them all the same passphrase, but it would be
> nice if they were all under one master passphrase.

GnuPG can't manage your passphrases for you, but there are various
password managers available to do just that.



> So I guess I'm looking for

> 1) something that doesn't leak identities across
> signatures

Not leaking the identity information can be achieved by not putting it
in your UIDs.

For example, my key has only one UID: "MFPA <a at b.c>"

However, not having the email address in my UID makes it harder for
people to use my key.

Anybody who receives signed emails that I sent from different
addresses can see they were signed with the same key and deduce they
are likely to be from the same person. But they cannot look at the key
and enumerate what other addresses or names I might use.



> 2) a single passphrase to manage the
> multiple identities

You could use the same password for several keys, or use a password
manager such as you might use to remember website login details.



> 3) can be identified by the signing
> email address (Claws seems to make this easy for
> choosing the signing key)

To enable my email client to locate my key by email address, I make
use of group lines in my gpg.conf. For example:-

group <2014-667rhzu3dc-lists-groups at riseup.net>=0xA8A90B8EAD0C6E69

For my email client, this only works if the email address in the group
line is surrounded by angle brackets. Other people report that they
need to omit the angle brackets, and still others report that it does
not matter for them.


- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

Free advice costs nothing until you act upon it
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlNlBblXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pfWMD/36QBpvlbY33J27Y2UmCfg7PUNR6wL+Wtaci
DQM/JkmMFQZPg3MeYrCEBjO1xosMcvRgtof/TTaV4XkiR1XPdW8JHTiQVNCTHYjg
DCY9aGVugClVdC/BeNxIwXD4ttBB9cOENHoCCnFOZerOSdIj0r2238eguascLNXR
AkDhgdY1
=p1Ik
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list