different passwords for subkeys of the same masterkey
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 21 03:36:49 CET 2015
On Mon 2015-01-12 10:13:48 -0500, s7r wrote:
> Is it possible to have one masterkey with two subkeys (sbind), one for
> encrypt only and one for sign only, and each of them to have different
> passphrases?
Yes, it is possible. with gpg 2.1, you can create new subkeys and give
each of them a different passphrase. I haven't tested with 1.4 or 2.0.
> Additionally, how can I select in enigmail which userID I want to sign
> when signing a key with multiple UserIDs? I do not want to sign the
> primary one. Enigmail just offers me the ability to 'sign key',
> nothing said about UserID, just lets me select either normal signature
> or local signature not exportable.
The thing that you're signing with is a key. it's either your primary
key, or a signing-capable subkey. Your User IDs are all associated with
your primary directly (and with your subkeys indirectly, through the
primary key).
The OpenPGP standard defines a way to embed the preferred user ID in a
given signature using a "signer's user ID" subpacket [0], but it has
several drawbacks:
* i'm not sure how to do it in GnuPG, which enigmail relies on for the
OpenPGP parts, and
* it's not clear what a receiving MUA should do with that information,
even if it was present.
So i don't think this is a feature request that makes a lot of sense,
really. Can you explain more what you'd hope to gain from such a
configuration?
--dkg
[0] https://tools.ietf.org/html/rfc4880#section-5.2.3.22
More information about the Gnupg-users
mailing list