Different key pare for e-mail and signing code
Robert J. Hansen
rjh at sixdemonbag.org
Sat Jan 4 10:10:13 CET 2020
> Following my thread at (1), unless I'm missing something, it became
> apparent that Enigmail/Tunderbird does not fit the bill anymore.
It should be noted that Enigmail hasn't changed how it does anything.
> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:
We don't know, either. It's going to depend on your own personal risk
profile.
> - Am I missing something/better approach
If you want to segregate your code signing from your email, the best way
to do that is with a second certificate -- not adding subkeys to your
current one.
Ask yourself this: how often have you noticed that my signed messages
bear *two* signatures from *two* subkeys belonging to the same
certificate? I've been doing this for years and nobody's ever noticed.
(Or at least, nobody's ever mentioned it to me to ask why I'm doing
something so weird.)
So if you're depending on people ascribing special semantic value to
which subkey is used -- honestly, I doubt people will ever even notice
which subkey you're using. It's simply not a use case that comes up
very often, if ever.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 821 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200104/7a1982e5/attachment.sig>
More information about the Gnupg-users
mailing list