different passwords for subkeys of the same masterkey

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 21 16:50:56 CET 2015

On Wed 2015-01-21 05:58:40 -0500, s7r wrote:
> Understood. I guess this has to be done via console commands, since
> the pour enigmail thundebird addon has very limited options when
> creating/editing a GPG key.

yes, what you're trying to do is rather unusual; enigmail intends to
deliver a smooth and easy experience for the common use case.  It would
be a mistake for enigmail to try to expose something like this.

> I have 2 masterkeys, each with a subkey. Any way I can merge them
> together so I would have one primary key and 3 subkeys?

I don't recommend doing so directly, no.  Your best bet is to simply
choose one of your keys that you want to use going forward; add two new
subkeys to that key; and then set a short expiration date on the other
one or explicitly revoke it.

>>> Additionally, how can I select in enigmail which userID I want to
>>> sign when signing a key with multiple UserIDs? I do not want to
>>> sign the primary one. Enigmail just offers me the ability to
>>> 'sign key', nothing said about UserID, just lets me select either
>>> normal signature or local signature not exportable.
>> The thing that you're signing with is a key.  it's either your
>> primary key, or a signing-capable subkey.  Your User IDs are all
>> associated with your primary directly (and with your subkeys
>> indirectly, through the primary key).
> I guess my question was not clear - sorry about it. I can see multiple
> flags for the keys: Sign, Encrypt, Certify. I guess the Certify flag
> matters when signing another GPG key and Sign is used for signing text?

yes, this is right.  Sorry that i misunderstood your question.

> I have the public key of John Doe <john.doe at example.com> . He has more
> UserIDs associated with the same masterkey, as follows:
> John Doe <john.doe at example.com>
> John Smith <john.smith at foo.com>
> Bob Jones <bob.jones at test.net>
> Primary UserID is John Doe <john.doe at example.com>
> I want to sign this key, but just to confirm the UserID John Smith
> <john.smith at foo.com> and not sign/certify his other UserIDs belonging
> to the same key. Is this possible?

This is a really good point, and i hadn't looked at the enigmail
keysigning experience that way.  I note that you're mailing the
gnupg-users mailing list about this, though, and it's really a question
of the enigmail interface.  GnuPG itself does let the user select which
User IDs to certify during keysigning.

It's probably best to continue this discussion on the enigmail mailing
list (cc'ed here).

I've just filed https://sourceforge.net/p/enigmail/bugs/388/ to track
the problem.  Feel free to follow up there as well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150121/2022dac9/attachment.sig>

More information about the Gnupg-users mailing list