new keys vs. sub-keys vs. uids

MFPA 2014-667rhzu3dc-lists-groups at
Sat May 3 17:05:16 CEST 2014

Hash: SHA512


On Saturday 3 May 2014 at 2:08:35 AM, in
<mid:20140502200835.2cb51cad at bigbox.christie.dr>,
gnupg at wrote:

> However, after adding multiple uids and emailing an
> encrypted test message from the new UID
> (work at, I noticed that Claws Mail reported
> that it had been signed by "home at" instead
> of "work at",

The email client will have told GnuPG to search for a key with a UID
containing <work at>, which it found. I suspect
<home at> was reported by the email client as the signing
identity due to being set as the default UID.

Anybody could look at the key using GnuPG or something like PGPdump
and see all the IDs. In fact, simply checking the signature with GnuPG
should display something like:-

gpg: Good signature from "... <home at>" [unknown]
gpg:                 aka "... <work at>" [unknown]

> In the hope of
> keeping the entries completely separate, I then tried
[a unique key for each persona]

> This seemed to work as expected, but has the down-side
> that I would have N separate passphrases to
> maintain/remember for each of the N personas.  Yes, I
> can make them all the same passphrase, but it would be
> nice if they were all under one master passphrase.

GnuPG can't manage your passphrases for you, but there are various
password managers available to do just that.

> So I guess I'm looking for

> 1) something that doesn't leak identities across
> signatures

Not leaking the identity information can be achieved by not putting it
in your UIDs.

For example, my key has only one UID: "MFPA <a at b.c>"

However, not having the email address in my UID makes it harder for
people to use my key.

Anybody who receives signed emails that I sent from different
addresses can see they were signed with the same key and deduce they
are likely to be from the same person. But they cannot look at the key
and enumerate what other addresses or names I might use.

> 2) a single passphrase to manage the
> multiple identities

You could use the same password for several keys, or use a password
manager such as you might use to remember website login details.

> 3) can be identified by the signing
> email address (Claws seems to make this easy for
> choosing the signing key)

To enable my email client to locate my key by email address, I make
use of group lines in my gpg.conf. For example:-

group <2014-667rhzu3dc-lists-groups at>=0xA8A90B8EAD0C6E69

For my email client, this only works if the email address in the group
line is surrounded by angle brackets. Other people report that they
need to omit the angle brackets, and still others report that it does
not matter for them.

- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at

Free advice costs nothing until you act upon it


More information about the Gnupg-users mailing list